Hi!
On and off for the last few weeks, and all of today, I've been playing with
kerberos.
But, I'm stuck, completely.
Kerberos works, I know that. I can quite happily get tickets from the server.
First thing I want to kerberise is ssh, as it's a fundamental, and easily
testable tool.
I've been working in two different ways, but am getting the same outcome.
1) host service principal in systemwide /etc/krb5.keytab
2) host service principal in ssh specific /etc/ssh/sshd.keytab, and an 'export
KRB5_KTNAME=/etc/ssh/sshd.keytab' right before the call to start-stop-daemon
in /etc/init.d/sshd
My kerberos realm is HOME.GAIMA.CO.UK, but it *looks* like ssh is truncating
that to CO.UK, and GAIMA.CO.UK.
mike@sauron mike $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: kerb@HOME.GAIMA.CO.UK
Valid starting Expires Service principal
10/16/04 18:54:58 10/17/04 04:54:58 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
renew until 10/17/04 18:54:57
I've attached a log of DNS activity (dnscache), a section of krb5kdc.log from
the server, the output & strace of ssh (strace ssh -l kerb
gandalf.home.gaima.co.uk -v 2>ssh-strace.log), and my krb5.conf.
Both boxes are stable x86, with all kerberos USE'd packages compiled with it
enabled, and mit-krb5 installed.
The following 2 options are set in ~/.ssh/config on the client:
GSSAPIDelegateCredentials yes
GssapiAuthentication yes
And these in /etc/ssh/sshd_config on the server:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Are there any kerberos gurus on list that can put me out of my misery?
Google hasn't helped :(
Cheers
--
Mike Williams
On and off for the last few weeks, and all of today, I've been playing with
kerberos.
But, I'm stuck, completely.
Kerberos works, I know that. I can quite happily get tickets from the server.
First thing I want to kerberise is ssh, as it's a fundamental, and easily
testable tool.
I've been working in two different ways, but am getting the same outcome.
1) host service principal in systemwide /etc/krb5.keytab
2) host service principal in ssh specific /etc/ssh/sshd.keytab, and an 'export
KRB5_KTNAME=/etc/ssh/sshd.keytab' right before the call to start-stop-daemon
in /etc/init.d/sshd
My kerberos realm is HOME.GAIMA.CO.UK, but it *looks* like ssh is truncating
that to CO.UK, and GAIMA.CO.UK.
mike@sauron mike $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: kerb@HOME.GAIMA.CO.UK
Valid starting Expires Service principal
10/16/04 18:54:58 10/17/04 04:54:58 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
renew until 10/17/04 18:54:57
I've attached a log of DNS activity (dnscache), a section of krb5kdc.log from
the server, the output & strace of ssh (strace ssh -l kerb
gandalf.home.gaima.co.uk -v 2>ssh-strace.log), and my krb5.conf.
Both boxes are stable x86, with all kerberos USE'd packages compiled with it
enabled, and mit-krb5 installed.
The following 2 options are set in ~/.ssh/config on the client:
GSSAPIDelegateCredentials yes
GssapiAuthentication yes
And these in /etc/ssh/sshd_config on the server:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Are there any kerberos gurus on list that can put me out of my misery?
Google hasn't helped :(
Cheers
--
Mike Williams