I apologize in advance if this question is pretty information-dense. I'm using the kdc in the 5.3 base system as an authentication server for my home LAN. I can use kinit to get a TGT from the server from machines on the LAN and elsewhere on the Internet, and I can use SSH with the "GSSAPIAuthentication yes" option to connect to my main server via IPv4 or IPv6. So far, so good.
Next, I decided to kerberize the SSH daemon inside one of my jail servers,
virtual1.honeypot.net, so I created a principal for it
(host/virtual1.honeypot.net) and extracted that into the jail's
/etc/keytab file.
Now, I can SSH to that machine from any of the hosts on my LAN, but when
I try to connect from the outside world using the FQDN of the jail, I get
a lot of errors like this in kdc.log:
2004-12-29T16:34:58 TGS-REQ [EMAIL PROTECTED] from IPv4:1.2.3.4 for
krbtgt/[EMAIL PROTECTED]
2004-12-29T16:34:58 Server not found in database: krbtgt/[EMAIL PROTECTED]:
No such entry in the database
and "ssh -v virtual1.honeypot.net" fails with messages like:
debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-7
debug1: Miscellaneous failure
Server not found in Kerberos database
HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain
name.
My questions are:
1) Why can I use Kerberos to authenticate to that jail server from inside
my LAN, but not from outside (especially when I can connect to its parent
machine from the outside world)?
2) Where on earth did that "krbtgt/[EMAIL PROTECTED]" request
come from?
--
Kirk Strauser
pgpC53nRrYUyn.pgp
Description: PGP signature
