This is a discussion on openssh with cross-realm kerberos (heimdal) authentication - openssh ; Hi, I'm trying to get cross-realm authentication to work between A.COM and B.NET for openssh. The setup is as follows: the KDC from A.COM has a principal user@A.COM . the KDC from B.NET has the principal host/sshserver@B.NET There's also a ...
Hi,
I'm trying to get cross-realm authentication to work between A.COM and
B.NET for openssh.
The setup is as follows:
the KDC from A.COM has a principal user@A.COM.
the KDC from B.NET has the principal host/sshserver@B.NET
There's also a principal krbtgt/B.NET@A.COM on both KDC's.
The cross-realm authentication seems to work. After kinit user@A.COM and
attempting to ssh to user@sshserver I have the following tickets:
(deepstar/tachyon) ~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: user@A.COM
Issued Expires Principal
May 29 15:07:18 May 30 01:09:24 krbtgt/A.COM@A.COM
May 29 15:07:20 May 30 01:09:24 krbtgt/B.NET@A.COM
May 29 15:07:19 May 30 01:09:24 host/sshserver@B.NET
But I can't login. When I get a ticket for user@B.NET and attempt to login, it works.
So at least I know the setup is correct.
The log from the KDC at B.NET shows something like this:
2006-05-29T15:07:19 TGS-REQ user@A.COM from IPv4:192.168.2.103 for host/sshserver@B.NET [proxiable, forwardable]
2006-05-29T15:07:19 Client not found in database: user@A.COM: No such entry in the database
2006-05-29T15:07:19 cross-realm A.COM -> B.NET
2006-05-29T15:07:19 sending 665 bytes to IPv4:192.168.2.103
Where 192.168.2.103 is the client aswell as the sshserver in this case...
This leads me to conclude that the SSH-server is trying to verify user@A.COM against the B.NET realm.
I'm not sure why this happens ? (krb5.conf should be setup correctly)
Does anyone have a similar problem and maybe a fix ?
I'm using openssh 4.2p1-8 (debian unstable)
kind regards,
-- Steven Van Acker
