[30381] in Kerberos
Re: Kerberos and SSH ?
daemon@ATHENA.MIT.EDU (Martin Simovic)
Mon Oct 27 06:28:28 2008
From: Martin Simovic <msimovic@concurrent-thinking.com>
To: Ronni Feldt <rofe@one.com>
In-Reply-To: <1225097231.5884.1.camel@localhost>
Date: Mon, 27 Oct 2008 10:27:11 +0000
Message-Id: <1225103231.11990.14.camel@precision.lan.streamline-computing.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
your DNS has to work properly, kerberos is unforgiving there. also, does
your user exist on the server you are trying to log to? you need a
separate mechanism (like LDAP) for user database, kerberos provides only
authentication (not authorization)
M.
On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
>
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
>
> My test-environment is 3 computers (pc1, pc2 and pc3):
>
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
> Created principals:
> host/rofe (the pc which I want to login to via ssh, PC1)
> ronni (me)
>
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
>
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
>
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
>
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
>
> Edited firewall-rules and /etc/hosts for communication.
>
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
>
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
>
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976:
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652:
>
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
>
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER@ONE.COM for
> krbtgt/ONE.COM@ONE.COM, Client not found in Kerberos database
>
>
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
>
>
> Help :-)
>
> - Ronni
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
