I'm currently using openssh-4.3p2 compiled with krb5-1.4.4 and the GSSAPI
Key Exchange patch (gsskex-20060223). On my current system this works
fine.
I'm moving the server to a new cluster of RHE hosts that use virtual
interfaces (eg. eth0:1) to allow for failover to a new host while still
maintaining the original IP address. On this new system I'm getting the
following error when I run sshd in debug (-ddd) mode:
Wrong principal in request
To simplify things, I set up a virtual interface on my own Redhat
workstation where I'm also running my own KDC. I'm able to get the same
error.
I have 2 IP addresses and 2 hostnames associated with the 2 interfaces
(one of them a virtual interface) on my workstation:
interface hostname ip
-----------------------------------------
eth0 gort.home.org 192.168.0.2
eth0:1 cvs.home.org 192.168.0.200
I've created 2 service principals and added them to /etc/krb5.keytab:
host/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
When I connect to the sshd server using my gssapi-with-mic/gsskex enabled
client using the hostname gort.home.org everything works fine. But if I
connect using the hostname cvs.home.org I get the "Wrong principal in
request" error.
>From the client side when I run klist it shows I have valid credentials:
krbtgt/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
I can find no errors in /var/log/krb5kdc.log or /var/log/messages.
The ssh client doesn't display any errors, even in debug mode... right
after "Delegating credentials", the connection is closed.
Is this a problem with Kerberos? OpenSSH?
Does this type of configuration simply not work? Is there a way to make
it work?
Any help would really be appreciated, thanks.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
