[27754] in Kerberos
Re: kerberos, hpux 11.11, ssh
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Wed May 9 15:16:55 2007
Message-ID: <56F515E6C20B43E6924F9F004774ED8F@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Wilson, Michael" <michael.wilson@diebold.com>
Date: Wed, 9 May 2007 14:11:31 -0500
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Wilson, Michael <michael.wilson@diebold.com> wrote:
> ***KLIST -kte***
> [abc]:/var/adm/syslog # klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 6 05/08/07 16:12:33 host/abc@KDC.DIEBOLD.COM (DES cbc mode with
> RSA-MD5)
>
> ***HOSTS FILE***
> [abc]:/etc $ cat hosts
> #
> 10.9.1.1 abc
> 127.0.0.1 localhost loopback
Well, I suspect that should be using a FQDN and not just "host/abc"
does kinit -kt /etc/krb5.keytab host/abc
actually work?
(you should not get any messages, and klist should show tickets for the
host/abc principal.)
> ***KRB5.CONF***
> [abc]:/etc # cat krb5.conf
> [logging]
> default = FILE:/var/adm/krb5lib.log
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kKDCmind.log
>
> [libdefaults]
> ticket_liftetime = 24000
> default_realm = KDC.DIEBOLD.COM
Your Windows AD domain is called KDC.DIEBOLD.COM ? That doesn't sound
right.
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
> default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5
Delete the above two lines. Hardcoding enctypes is a bad idea and will
cause you much pain in the future.
> The keytab was added earlier and is now in place.
> After I read your email I reviewed a few things and here is where we
> are now:
>
> We can telnet into 'abc' and we get authenticated via active
> directory. When we use ssh to try this we get rejected.
Authenticated using Kerberos tickets? OR via typing in a password?
What EXACT error message do you get from SSH? And is the error message
actually from SSH itself? Or from whatever PAM type stuff that hpux
uses?
> We have tried to find results for this on the internet, but have had
> No viable luck.
try the following:
kdestroy
kinit -f -5 -p <user>@<REALM>
klist -ef
ssh -vvv -o "GSSAPIAuthentication yes" <machine>
(Ctrl-C it if you get a password prompt or if it doesn't work.)
klist -ef
(yes, again, and look for a host/* ticket)
And what does your sshd_config file look like?
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
