[38677] in Kerberos
Unable to SSH with Kerberos user
daemon@ATHENA.MIT.EDU (Rocky Hotas)
Sat Jan 25 10:44:07 2020
MIME-Version: 1.0
Message-ID: <trinity-457f08c1-0a02-4609-a312-8a35c4b381cf-1579967035068@3c-app-mailcom-lxa11>
From: "Rocky Hotas" <rockyhotas@post.com>
To: kerberos@mit.edu
Date: Sat, 25 Jan 2020 16:43:55 +0100
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello!
I am trying to set up a Kerberos server and a client for the first time,
both using Xubuntu 18.04. I created a normal user `joe' and I am able
to successfully do, from the client:
$ kinit joe
Password for joe@XEXAMPLE.INTK:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: joe@XEXAMPLE.INTK
Valid starting Expires Service principal
25/01/2020 16:10:42 26/01/2020 02:10:42 krbtgt/XEXAMPLE.INTK@XEXAMPLE.INTK
renew until 26/01/2020 16:10:28
Despite the client and server being in the same LAN, when I enter the
password a long wait of several seconds occurs, before the prompt is back
again. I would now like to ssh into the Kerberos server from the client,
as `joe', without being prompted again for a password:
$ ssh joe@<server_FQDN>
However, the password is asked here, despite the TGT shown above, and
even with the correct password the permission is denied.
What could be wrong with this configuration? Also, I still did not
understand the role of the keytab in this operation. Is it necessary?
Note that my user (in the Xubuntu system of the client) has not the name
`joe', as shown in the logs below: `joe' only belongs to Kerberos.
Log of ssh with `-vvv' option: https://pastebin.com/DSueXmf0
Client /etc/ssh/ssh_config: https://pastebin.com/14FWX5ye
Client /etc/krb5.conf: https://pastebin.com/Vpqs0VxT
Server /etc/krb5.conf: https://pastebin.com/1wnB6vum
Server /etc/ssh/sshd_config: https://pastebin.com/WwdyQvF0
Guide followed for setup: https://www.linuxtoday.com/blog/integrating-ldap-and-kerberos-part-one-kerberos.html
(at random times, the link is unavailable; use Google cache page if
needed)
Thank you for having read,
Rocky
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
