David Konerding wrote:
> Hi folks,
>
> We have a bunch of hosts that allow password-free ssh logins using kerberos.
> These also run web servers, which use mod_auth_kerb.
>
> We also have a BigIP load balancer that has a name; when people ssh or web
> access that name, they get round-robin distributed across the cluster.
> The LB supports Layer 3 and Layer 5 transparent proxying to the back end.
>
> We have noticed that if people log into nodes with their real hostname,
> or web access a url using the real hostname of the server, everything
> works as expected.
> However, attempting to ssh into the load balancer address typically gives:
>
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Unknown code
>
> debug1: Trying to start again
>

ssh calls gss_acquire_cred with a service name derived from the host name.

You really want to load balance the ssh sessions?

>
> And when users try to access the web server through the load balancer:
>
> Authentication never succeeds and the following mod_auth_kerb error is logged:
> failed to verify krb5 credentials: Server not found in Kerberos database
>


mod_auth_kerb uses the service principal name derived from ap_get_server_name
unless you set the KrbServiceName with a full principal like HTTP/fqdn@realm.

So the best I can tell for both ssh and mod_auth_kerb you are limited to one
service principal.
(I used to have a mode for the gssapi code to be less restrictive
about the checks, allowing a match for any entry in the keytab
that matched the service and realm.) Don't know if some newer versions
of Kerberos have adding anything like this.

>
> Logging into the machine through the ssh load balancer shows the IP
> address of the loadbalancer,
> not the IP address of the source ssh machine.
>
> We did some attempts at putting server keys with the hostname of the
> load balancer into the
> srvtab on each of the servers, but never had any luck.


srvtab is an old term, Do you mean the /etc/krb5.keytab?
Or so you mean the mod_auth_kerb parameter Krb5Keytab

What version of SSH?
What version of Kerberos?
What OS? Some vendors might have a mod like I described above.
What does the mod_auth_kerb parameters look like?

>
> Any ideas? I did some low-level tcpdumping and tracing various parts
> of the Kerberos code, and came up with
> some bizarre results for why we are getting failures.


And what are the results?

> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444