Reverse the order of aliases for the IP address in your /etc/hosts file. The first named alias is used for your ticket generation. This is a common problem with short and FQDNs in /etc/hosts.
Mauricio Tavares wrote: > On 08/01/2012 11:04 AM, Douglas E. Engert wrote: >> >> On 8/1/2012 8:09 AM, "Jörg Herzinger" wrote: >>> Hi, I am trying to get GSSAPI auth to work and the problem ist that my >>> kerberos server and the ssh server I want to connect to are behind a nat. >>> My setup looks like this: >>> >>> my_laptop -------- virtual_machine_host ----- kerberos & ssh server >>> (any ip here) 128.131.XX.YY - 10.0.0.1 10.0.0.2 & 10.0.0.3 >>> >>> Port forwads are done by iptables on my virtual-machine-host. Port 22 ist >>> forwarded to my ssh server. I can get a kerberos ticket easily on my >>> laptop: >>> joerg@laptop ~ % kinit joerg >>> Password for jo...@reaml.at: >>> joerg@laptop ~ % klist -af >>> Ticket cache: FILE:/tmp/krb5cc_1000 >>> Default principal: jo...@realm.at >>> >>> Valid starting Expires Service principal >>> 08/01/12 09:34:39 08/01/12 23:34:39 krbtgt/realm...@realm.at >>> renew until 08/02/12 09:35:00, Flags: FPRI >>> Addresses: (none) >>> >>> Connecting to my virtual machine host with gssapi auth also works like >>> expected but when I try to connect to my ssh server gssapi fails (No valid >>> Key exchange context) and I am prompted for a password. Connecting via ssh >>> from my kerberos server to my ssh server internally works too. >>> The stange thing i found is that even with NO host keytab on my ssh server >>> I do get a ticket when trying to connect. >>> >>> joerg@laptop ~ % kinit joerg >>> Password for jo...@realm.at: >>> joerg@laptop ~ % klist -af >>> Ticket cache: FILE:/tmp/krb5cc_1000 >>> Default principal: jo...@realm.at >>> >>> Valid starting Expires Service principal >>> 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/realm...@realm.at >>> renew until 08/02/12 09:47:03, Flags: FPRI >>> Addresses: (none) >>> joerg@blackmini ~ % ssh root@virtual-machine-host >>> Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to >>> the list of known hosts. >>> Password: >>> >>> 130 joerg@laptop ~ % klist -af >>> Ticket cache: FILE:/tmp/krb5cc_1000 >>> Default principal: jo...@realm.at >>> >>> Valid starting Expires Service principal >>> 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/realm...@realm.at >>> renew until 08/02/12 09:47:03, Flags: FPRI >>> Addresses: (none) >>> 08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host@ >>> renew until 08/02/12 09:47:03, Flags: FPRT >>> Addresses: (none) >>> 08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-h...@realm.at >>> renew until 08/02/12 09:47:03, Flags: FPRT >>> Addresses: (none) >>> >>> I already read a lot about address less tickets and "rdns=no", but all >>> this seems way outdated. The config option "extra_addresses" looks >>> promising but I didn't have success with this either. I am working on >>> ubuntu laptop 11.04 and ssh server is Debian Squeeze. >>> Any ideas or further suggestions on what I could try to get this working? >>> This would be quite important for me. >> The above ticket is only good for services on virtual-machine-host. >> But the service is on ssh-server >> >> Kerberos uses hostnames in tickets, not IP. So what is the host name >> of your ssh-server at 10.0.0.3? Sounds like you already have a principal >> for it in the KDC and a keytab. >> >> You will then need to tell your laptop, that the IP number for the >> ssh-server is the same as the virtual-machine-host, so the ssh client >> will get a ticket based on the name and ssh will make the TCP >> connection to the IP and port to the virtual-machine-host that will >> route to the ssh-server. >> The both the client and ssh-server will be using the same name >> for the prinbcipal. >> >> Running with ssh -v -v -v and sshd -d -d -d >> will give debug info. >> >> You may want to assign a forwarded ssh port for each of your >> back end servers, and leave 22 for the virtual-machine-host. >> You could then ssh to any of them from your laptop. >> >> Your laptop will then have to use a name and port for each. >> The /etc/hosts file will have all the names mapping to the >> IP of the virtual-machine-host. >> ~.ssh/config could add the port. >> > Correct me if I am wrong but what you are saying is to put in > /etc/hosts (using the OP's example) > > 128.131.XX.YY kerberos.lan.com ssh.lan.com > > I tried that and when I did > > kinit -fAp > ssh -vvv -p 1234 -o GSSAPITrustDNS=no ssh.lan.com > > ssh acted like it was trying to authenticate against kerberos.lan.com, > not ssh.lan.com. > >>> thanks, >>> Jörg >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos