Re: ssh + kerberosV

[Matthijs Mohlmann <matthijs@active2.homelinux.org>]

On Sat, 2003-11-29 at 13:20, Julien TOUCHE wrote:
> Matthijs Mohlmann wrote:
> 
> > touche@localhost is the fault
> > 
> > you have to do it so:
> > $ ssh touche@hostname <- and hostname must not be localhost
> > 
> test with `hostname` and `hostname -s`, and failed ...
> 
> in kdc.log:
> 2003-11-29T13:11:09 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> host/etenemanki.touche.www@VPN.WWW
> 2003-11-29T13:11:09 sending 591 bytes to IPv4:192.168.2.5
> 2003-11-29T13:11:09 AS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> krbtgt/VPN.WWW@VPN.WWW
> 2003-11-29T13:11:09 Using des3-cbc-sha1/des3-cbc-sha1
> 2003-11-29T13:11:09 Requested flags: forwardable
> 2003-11-29T13:11:09 sending 560 bytes to IPv4:192.168.2.5
> 2003-11-29T13:11:09 TGS-REQ touche@VPN.WWW from IPv4:192.168.2.5 for 
> host/etenemanki.touche.www@VPN.WWW
> 2003-11-29T13:11:09 sending 591 bytes to IPv4:192.168.2.5
> 
> seems also keytab pb appears form time to time (authlog)
> Nov 29 13:11:09 etenemanki krb5: verify: Key table entry not found
> 
> one problem which may arise, is, i have two internal private domain 
> (some kind of migration).
> 
> i enter the host with the two suffix for host/ & ssh/, not sure if it is 
> sufficient.
> 

You need for every host you have a host key. The kerberos server then
trusts the host. When you on the kerberos server itself also have a ssh
server you need there a ssh key (in /etc/kerberosV/krb5.keytab). On
every host where a ssh server is running also need a ssh key.

I think there must be one host key in the keytab on the client. (i'm not
really sure about that)

And please would you send the logs of the sshd server (with debug
options on) and the ssh client (with debug options on). And also the
kdc.log on that moment when you ssh.

> 
> > For localhost is no entry in the kerberos server :)
> ok
> 
> Regards
> 
> 		Julien
> 
> note: i'm on the list