Feeling rather stupid here. Let's say I have: o 192.168.1.0/24 (internal) o realm DOMAIN.COM o kdc.internal.domain.com (192.168.1.100) o kdc.conf allow-null-ticket-addresses = true o host principals for o firewall o kdc o slavelinux o externalbox o user principal for testuser o testuser also local user in kdc o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config o slavelinux.internal.domain.com (192.168.1.200) o testuser local user in slavelinux o kdc.keytab with slavelinux's host principal o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config o 192.168.11.0/24 (external) o externalbox.domain.com (192.168.11.188) o in .ssh/config Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes CheckHostIP no o testuser local user in externalbox o kdc.keytab with externalbox's host principal o "GSSAPIAuthentication yes" in /etc/ssh/sshd_config o Firewall o firewall.domain.com 192.168.11.10 o firewall.internal.domain.com 192.168.1.1 o port 88 (tcp/udp) forwarded to kdc o port 22 (tcp) forwarded to kdc
Creating a ticket on slavelinux as testuser and then ssh'ing to kdc works fine. So, as testuser@externalbox, I do testuser@externalbox:~$ kinit -f -A -p testuser Password for testu...@domain.com: testuser@externalbox:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: testu...@domain.com Valid starting Expires Service principal 09/06/11 04:06:40 09/06/11 14:06:40 krbtgt/domain....@domain.com renew until 09/07/11 04:06:34 09/06/11 04:08:45 09/06/11 14:06:40 host/firewall.domain....@domain.com renew until 09/07/11 04:06:34 testuser@externalbox:~$ The log file in kdc shows the authentication taking place: Sep 6 04:06:34 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.11.188: NEEDED_PREAUTH: testu...@domain.com for krbtgt/domain....@domain.com, Additional pre-authentication required Sep 6 04:06:40 kdc krb5kdc[13460]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=23 tkt=18 ses=18}, testu...@domain.com for krbtgt/domain....@domain.com Now, when I try to ssh from externalbox to the kdc, it seems that gssapi-with-mic isn't working: testuser@externalbox:~$ ssh -K -vvv testu...@firewall.domain.com [...] debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.11.121. debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/testuser/.ssh/id_rsa debug3: no such identity: /home/testuser/.ssh/id_rsa debug1: Trying private key: /home/testuser/.ssh/id_dsa debug3: no such identity: /home/testuser/.ssh/id_dsa debug1: Trying private key: /home/testuser/.ssh/id_ecdsa debug3: no such identity: /home/testuser/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password testuser@firewall's password: What am I missing here? The kdc log file tells me that Sep 6 04:08:45 kdc krb5kdc[13460]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.11.188: ISSUE: authtime 1315296400, etypes {rep=18 tkt=18 ses=18}, testu...@domain.com for host/firewall.domain....@domain.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos