openssh with cross-realm kerberos (heimdal) authentication
I'm trying to get cross-realm authentication to work between A.COM and
B.NET for openssh.
The setup is as follows:
the KDC from A.COM has a principal [email]user@A.COM[/email].
the KDC from B.NET has the principal host/sshserver@B.NET
There's also a principal krbtgt/B.NET@A.COM on both KDC's.
The cross-realm authentication seems to work. After kinit [email]user@A.COM[/email] and
attempting to ssh to user@sshserver I have the following tickets:
(deepstar/tachyon) ~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Issued Expires Principal
May 29 15:07:18 May 30 01:09:24 krbtgt/A.COM@A.COM
May 29 15:07:20 May 30 01:09:24 krbtgt/B.NET@A.COM
May 29 15:07:19 May 30 01:09:24 host/sshserver@B.NET
But I can't login. When I get a ticket for [email]user@B.NET[/email] and attempt to login, it works.
So at least I know the setup is correct.
The log from the KDC at B.NET shows something like this:
2006-05-29T15:07:19 TGS-REQ [email]user@A.COM[/email] from IPv4:192.168.2.103 for host/sshserver@B.NET [proxiable, forwardable]
2006-05-29T15:07:19 Client not found in database: [email]user@A.COM[/email]: No such entry in the database
2006-05-29T15:07:19 cross-realm A.COM -> B.NET
2006-05-29T15:07:19 sending 665 bytes to IPv4:192.168.2.103
Where 192.168.2.103 is the client aswell as the sshserver in this case...
This leads me to conclude that the SSH-server is trying to verify [email]user@A.COM[/email] against the B.NET realm.
I'm not sure why this happens ? (krb5.conf should be setup correctly)
Does anyone have a similar problem and maybe a fix ?
I'm using openssh 4.2p1-8 (debian unstable)
-- Steven Van Acker