On 08/01/2012 11:04 AM, Douglas E. Engert wrote: > > > On 8/1/2012 8:09 AM, "Jörg Herzinger" wrote: >> Hi, I am trying to get GSSAPI auth to work and the problem ist that my >> kerberos server and the ssh server I want to connect to are behind a nat. >> My setup looks like this: >> >> my_laptop -------- virtual_machine_host ----- kerberos & ssh server >> (any ip here) 128.131.XX.YY - 10.0.0.1 10.0.0.2 & 10.0.0.3 >> >> Port forwads are done by iptables on my virtual-machine-host. Port 22 ist >> forwarded to my ssh server. I can get a kerberos ticket easily on my >> laptop: >> joerg@laptop ~ % kinit joerg >> Password for [email protected]: >> joerg@laptop ~ % klist -af >> Ticket cache: FILE:/tmp/krb5cc_1000 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 08/01/12 09:34:39 08/01/12 23:34:39 krbtgt/[email protected] >> renew until 08/02/12 09:35:00, Flags: FPRI >> Addresses: (none) >> >> Connecting to my virtual machine host with gssapi auth also works like >> expected but when I try to connect to my ssh server gssapi fails (No valid >> Key exchange context) and I am prompted for a password. Connecting via ssh >> from my kerberos server to my ssh server internally works too. >> The stange thing i found is that even with NO host keytab on my ssh server >> I do get a ticket when trying to connect. >> >> joerg@laptop ~ % kinit joerg >> Password for [email protected]: >> joerg@laptop ~ % klist -af >> Ticket cache: FILE:/tmp/krb5cc_1000 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] >> renew until 08/02/12 09:47:03, Flags: FPRI >> Addresses: (none) >> joerg@blackmini ~ % ssh root@virtual-machine-host >> Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to >> the list of known hosts. >> Password: >> >> 130 joerg@laptop ~ % klist -af >> Ticket cache: FILE:/tmp/krb5cc_1000 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] >> renew until 08/02/12 09:47:03, Flags: FPRI >> Addresses: (none) >> 08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host@ >> renew until 08/02/12 09:47:03, Flags: FPRT >> Addresses: (none) >> 08/01/12 09:46:57 08/01/12 23:46:42 host/[email protected] >> renew until 08/02/12 09:47:03, Flags: FPRT >> Addresses: (none) >> > >> I already read a lot about address less tickets and "rdns=no", but all >> this seems way outdated. The config option "extra_addresses" looks >> promising but I didn't have success with this either. I am working on >> ubuntu laptop 11.04 and ssh server is Debian Squeeze. >> Any ideas or further suggestions on what I could try to get this working? >> This would be quite important for me. > > The above ticket is only good for services on virtual-machine-host. > But the service is on ssh-server > > Kerberos uses hostnames in tickets, not IP. So what is the host name > of your ssh-server at 10.0.0.3? Sounds like you already have a principal > for it in the KDC and a keytab. > > You will then need to tell your laptop, that the IP number for the > ssh-server is the same as the virtual-machine-host, so the ssh client > will get a ticket based on the name and ssh will make the TCP > connection to the IP and port to the virtual-machine-host that will > route to the ssh-server. > The both the client and ssh-server will be using the same name > for the prinbcipal. > > Running with ssh -v -v -v and sshd -d -d -d > will give debug info. > > You may want to assign a forwarded ssh port for each of your > back end servers, and leave 22 for the virtual-machine-host. > You could then ssh to any of them from your laptop. > > Your laptop will then have to use a name and port for each. > The /etc/hosts file will have all the names mapping to the > IP of the virtual-machine-host. > ~.ssh/config could add the port. > Correct me if I am wrong but what you are saying is to put in /etc/hosts (using the OP's example)
128.131.XX.YY kerberos.lan.com ssh.lan.com I tried that and when I did kinit -fAp ssh -vvv -p 1234 -o GSSAPITrustDNS=no ssh.lan.com ssh acted like it was trying to authenticate against kerberos.lan.com, not ssh.lan.com. >> >> thanks, >> Jörg >> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
