Re: Kerberos through a load balancer
David Konerding wrote:[color=blue]
> Hi folks,
> We have a bunch of hosts that allow password-free ssh logins using kerberos.
> These also run web servers, which use mod_auth_kerb.
> We also have a BigIP load balancer that has a name; when people ssh or web
> access that name, they get round-robin distributed across the cluster.
> The LB supports Layer 3 and Layer 5 transparent proxying to the back end.
> We have noticed that if people log into nodes with their real hostname,
> or web access a url using the real hostname of the server, everything
> works as expected.
> However, attempting to ssh into the load balancer address typically gives:
> debug1: Authentications that can continue:
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Unknown code
> debug1: Trying to start again
ssh calls gss_acquire_cred with a service name derived from the host name.
You really want to load balance the ssh sessions?
> And when users try to access the web server through the load balancer:
> Authentication never succeeds and the following mod_auth_kerb error is logged:
> failed to verify krb5 credentials: Server not found in Kerberos database
mod_auth_kerb uses the service principal name derived from ap_get_server_name
unless you set the KrbServiceName with a full principal like HTTP/fqdn@realm.
So the best I can tell for both ssh and mod_auth_kerb you are limited to one
(I used to have a mode for the gssapi code to be less restrictive
about the checks, allowing a match for any entry in the keytab
that matched the service and realm.) Don't know if some newer versions
of Kerberos have adding anything like this.
> Logging into the machine through the ssh load balancer shows the IP
> address of the loadbalancer,
> not the IP address of the source ssh machine.
> We did some attempts at putting server keys with the hostname of the
> load balancer into the
> srvtab on each of the servers, but never had any luck.[/color]
srvtab is an old term, Do you mean the /etc/krb5.keytab?
Or so you mean the mod_auth_kerb parameter Krb5Keytab <file>
What version of SSH?
What version of Kerberos?
What OS? Some vendors might have a mod like I described above.
What does the mod_auth_kerb parameters look like?
> Any ideas? I did some low-level tcpdumping and tracing various parts
> of the Kerberos code, and came up with
> some bizarre results for why we are getting failures.[/color]
And what are the results?
> Kerberos mailing list [email]Kerberos@mit.edu[/email]
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439