Hi, what OS / Kerberos version is running on your laptop?
Try to enable the GSSAPI* options in the client and server config files. Also check if you can disable the "trust dns" option on the ssh client. The machine should try to get a ticket for the public ip/name and not for the system behind it, so the tickets won't match. KR, Oliver Am 01.08.2012 um 15:09 schrieb Jörg Herzinger <[email protected]>: > Hi, I am trying to get GSSAPI auth to work and the problem ist that my > kerberos server and the ssh server I want to connect to are behind a nat. > My setup looks like this: > > my_laptop -------- virtual_machine_host ----- kerberos & ssh server > (any ip here) 128.131.XX.YY - 10.0.0.1 10.0.0.2 & 10.0.0.3 > > Port forwads are done by iptables on my virtual-machine-host. Port 22 ist > forwarded to my ssh server. I can get a kerberos ticket easily on my > laptop: > joerg@laptop ~ % kinit joerg > Password for [email protected]: > joerg@laptop ~ % klist -af > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: [email protected] > > Valid starting Expires Service principal > 08/01/12 09:34:39 08/01/12 23:34:39 krbtgt/[email protected] > renew until 08/02/12 09:35:00, Flags: FPRI > Addresses: (none) > > Connecting to my virtual machine host with gssapi auth also works like > expected but when I try to connect to my ssh server gssapi fails (No valid > Key exchange context) and I am prompted for a password. Connecting via ssh > from my kerberos server to my ssh server internally works too. > The stange thing i found is that even with NO host keytab on my ssh server > I do get a ticket when trying to connect. > > joerg@laptop ~ % kinit joerg > Password for [email protected]: > joerg@laptop ~ % klist -af > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: [email protected] > > Valid starting Expires Service principal > 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] > renew until 08/02/12 09:47:03, Flags: FPRI > Addresses: (none) > joerg@blackmini ~ % ssh root@virtual-machine-host > Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to > the list of known hosts. > Password: > > 130 joerg@laptop ~ % klist -af > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: [email protected] > > Valid starting Expires Service principal > 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] > renew until 08/02/12 09:47:03, Flags: FPRI > Addresses: (none) > 08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host@ > renew until 08/02/12 09:47:03, Flags: FPRT > Addresses: (none) > 08/01/12 09:46:57 08/01/12 23:46:42 host/[email protected] > renew until 08/02/12 09:47:03, Flags: FPRT > Addresses: (none) > > I already read a lot about address less tickets and "rdns=no", but all > this seems way outdated. The config option "extra_addresses" looks > promising but I didn't have success with this either. I am working on > ubuntu laptop 11.04 and ssh server is Debian Squeeze. > Any ideas or further suggestions on what I could try to get this working? > This would be quite important for me. > > thanks, > Jörg > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
