---- Original message ---- >Date: Tue, 24 Oct 2006 13:28:20 -0700 >From: "Donald J. Ankney" <[EMAIL PROTECTED]> >Subject: Re: krb5 login help >To: Bob Beck <[EMAIL PROTECTED]> >Cc: misc@openbsd.org > >On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: > >> >> Did you give the wee beastie a host key on your kerberos server? >> both ssh and /bin/login will attempt to verify a host key against >> the server so that your kerberos server isn't getting spoofed. > > >I think this is the place where I'm running into problems. Checking >my authlog, I find: > >krb5-or-pwd: verify: Server not found in Kerberos database > >The next problem is that I don't control the server (I'm trying to >authenticate my departmental server against the university-wide >kerberos server). I'll dig into google on that one, but on a >conceptual note, don't I just need to have their key stored on my >client and not vice versa? This should be a one-way trust (me >trusting them, not vice-versa), right? Or are there security >implications that I'm not understanding with Kerberos? >
you need to extract the keytab for the host you want to allow kerberosV authentication on from the kerberosV server against which you want to authenticate. if you are authenticating against the university-wide server, you need to have keytabs generated by the university-wide server and then put those on your machine. if you are administrating the whole realm, this is easy enough to via kadmin. do "info heimdal" and read the part about keytabs. otherwise you will need to have someone generate host keys for each of your hosts and get those keys to you.
