Hi,
I'm trying to get cross-realm authentication to work between A.COM and
B.NET for openssh.
The setup is as follows:
the KDC from A.COM has a principal [EMAIL PROTECTED]
the KDC from B.NET has the principal host/[EMAIL PROTECTED]
There's also a principal krbtgt/[EMAIL PROTECTED] on both KDC's.
The cross-realm authentication seems to work. After kinit [EMAIL PROTECTED] and
attempting to ssh to [EMAIL PROTECTED] I have the following tickets:
(deepstar/tachyon) ~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [EMAIL PROTECTED]
Issued Expires Principal
May 29 15:07:18 May 30 01:09:24 krbtgt/[EMAIL PROTECTED]
May 29 15:07:20 May 30 01:09:24 krbtgt/[EMAIL PROTECTED]
May 29 15:07:19 May 30 01:09:24 host/[EMAIL PROTECTED]
But I can't login. When I get a ticket for [EMAIL PROTECTED] and attempt to
login, it works.
So at least I know the setup is correct.
The log from the KDC at B.NET shows something like this:
2006-05-29T15:07:19 TGS-REQ [EMAIL PROTECTED] from IPv4:192.168.2.103 for
host/[EMAIL PROTECTED] [proxiable, forwardable]
2006-05-29T15:07:19 Client not found in database: [EMAIL PROTECTED]: No such
entry in the database
2006-05-29T15:07:19 cross-realm A.COM -> B.NET
2006-05-29T15:07:19 sending 665 bytes to IPv4:192.168.2.103
Where 192.168.2.103 is the client aswell as the sshserver in this case...
This leads me to conclude that the SSH-server is trying to verify [EMAIL
PROTECTED] against the B.NET realm.
I'm not sure why this happens ? (krb5.conf should be setup correctly)
Does anyone have a similar problem and maybe a fix ?
I'm using openssh 4.2p1-8 (debian unstable)
kind regards,
-- Steven Van Acker
