LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-16-2011, 12:57 PM   #1
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Rep: Reputation: 14
SSH not working with Kerberos Authentication


Pretty much as described in the thread title. I'm running RHEL6 on both the server and the client.

I followed Red Hat's own instructions to set the kdc up

I have a user called krb, that has been added to the KDC and I can get a ticket from the KDC, by using
Code:
kinit -p krb
If I then try to log in to the KDC, from the KDC, with
Code:
ssh krb@kdcserver -v
this works fine, in other words, it logs in using GSSAPI authentication.
Quote:
debug1: Authentication succeeded (gssapi-with-mic).
So that tells me that both ssh client and daemon are configured fine for Kerberos authentication.

I have configured the client to use kerberos using authconfig-tui. I have compared both the client and the server /etc/krb5.conf files and they are identical.

Name resolution works fine for both server and client, in other words I can ping kdcserver from the server and the client and I can ping sshclient from server and client both fqdn and hostname.

I get a ticket for krb with kinit krb in sshclient and I get
Quote:
host/sshclient@DOMAIN.COM not found in Kerberos database
I then add the sshclient to KDC, as described here.In actual fact, I add one with fqdn and another just the hostname for good measure and place them in the client /etc/krb5.keytab file.

When I try again, I get this:

debug1: Unspecified GSS failure. Minor code may provide more information\nWrong principal in request\n

If I do klist, I have these tickets now :
Quote:
krbtgt/DOMAIN.COM@DOMAIN.COM
host/kdcserver.domain.com@DOMAIN.COM
any ideas?

TIA

edit.

I've just tried ssh directly on the client ssh krb@sshclient -v, I also get in with GSSAPI authentication (as long as there is a ticket)

These are the tickets I have after a successful login.

krbtgt/DOMAIN.COM@DOMAIN.COM
host/sshclient.domain.com@DOMAIN.COM

This would suggest that i'm getting the right ticket above when I try client to server

What is going on???

Last edited by manyrootsofallevil; 06-16-2011 at 01:16 PM. Reason: further tests
 
Old 06-16-2011, 07:48 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Try checking /etc/hosts format, should be '<ip_address> <fqdn> <short_hostname>', also check the output of 'hostname' and 'hostname -s'
 
Old 06-17-2011, 05:33 AM   #3
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
Quote:
Originally Posted by kbp View Post
Try checking /etc/hosts format, should be '<ip_address> <fqdn> <short_hostname>', also check the output of 'hostname' and 'hostname -s'
I had the format the other way about, i.e. short_hostname before fqdn, but even changing that seemed to make no difference.

I've managed to get it working. I created a new zone in my DNS server and used the DNS server instead of the hosts file, I also reinstalled the KDC server, here is a list of steps that I took to get it to work from scratch:

installed kdc (yum install krb5-server)

created kdc db (kdb5_util create -s)

added root/admin (kadmin.local -q "addprinc root/admin")

added krb (kadmin.local -q "addprinc krb")

ssh kdcserver from kdcserver-- complains about missing host/kdcserver.domain.com in Kerberos database
ssh kdcserver from client-- complains about missing host/kdcserver.domain.com in Kerberos database

kadmin.local on kdcserver
addprinc -randkey host/kdcserver.domain.com

ssh kdcserver from kdcserver-- complains EM Get Key table file '/etc/krb5.keytab' not found
ssh kdcserver from client-- complains EM Get Key table file '/etc/krb5.keytab' not found

added host/kdcserver.domain.com to /etc/krb5.keytab in kdcserver (kadmin | ktadd -k /etc/krb5.keytab host/kdcserver.domain.com)

ssh kdcserver from kdcserver works !!!!
ssh kdcserver from client works !!!!

Tried ssh client from kdcserver -- complains about missing host/client.domain.com in Kerberos database

kadmin.local on kdcserver
addprinc -randkey host/client.domain.com
added host/client.domain.com to /etc/krb5.keytab in client

ssh client from kdcserver works!!!!!!

Thus, In order to add a new host I would need to do:

on kdcserver

kadmin.local
addprinc -randkey host/newhost.domain.com

and add host/newhost.domain.com to /etc/krb5.keytab in newhost

and this does indeed work.
 
Old 06-17-2011, 05:34 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
I think I'll stick with my 389-server
 
Old 06-17-2011, 09:28 AM   #5
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
Quote:
Originally Posted by kbp View Post
I think I'll stick with my 389-server
I was just having a look at this as part of the preparation for the RHCE, where there is a fairly undefined objective regarding Kerberos Authentication (Configure system to authenticate using Kerberos)

I have created a post in my blog explaining the steps taken, for future reference.

For some reason, I think I'm missing SPNs, I cannot ssh working with a windows 2003 ad, which I already had up and running. I sort of does not make too much sense to have Kerberos on its own, i.e. without an LDAP service for accounts, but there you go.
 
  


Reply

Tags
kerberos, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with Kerberos Authentication vikas027 Linux - Software 1 06-15-2011 07:08 AM
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 03:12 AM
Multiple ssh authentication (kerberos, unix) to display different 'password:' true_atlantis Linux - Server 0 03-12-2009 03:02 PM
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM


All times are GMT -5. The time now is 06:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration