This is a discussion on Re: Kerberos and SSH ? - Kerberos ; Assuming your DNS is set up properly, you'll need to set the host tab's to have the principal fully qualified domain name, ie host/rofe.one.com@ONE.COM instead of host/rofe@ONE.COM You can check if it is by running host against the IP of ...
Assuming your DNS is set up properly, you'll need to set the host tab's
to have the principal fully qualified domain name, ie
host/rofe.one.com@ONE.COM instead of host/rofe@ONE.COM
You can check if it is by running host against the IP of the hostname.
So assuming rofe.one.com has the IP 10.1.1.1
> host 10.1.2.3
3.2.1.10.in-addr.arpa domain name pointer rofe.one.com.
(Note the the return IP is reversed, which is normal).
Cheers,
Edward
On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
>
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
>
> My test-environment is 3 computers (pc1, pc2 and pc3):
>
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
> Created principals:
> host/rofe (the pc which I want to login to via ssh, PC1)
> ronni (me)
>
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
>
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
>
> [libdefaults]
> default_realm = ONE.COM
>
> [realms]
> ONE.COM = {
> kdc = kerberos.one.com
> admin_server = kerberos.one.com
> }
>
>
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
>
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
>
> Edited firewall-rules and /etc/hosts for communication.
>
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
>
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
>
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976:
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652:
>
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
>
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER@ONE.COM for
> krbtgt/ONE.COM@ONE.COM, Client not found in Kerberos database
>
>
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
>
>
> Help :-)
>
> - Ronni
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
