I saw Oko mentioning this in another post, so thought I would ask here. I've been working off Tillman's Handbook article. https://www.freebsd.org/doc/handbook/kerberos5.html
KDC is krbtest. Server that should authorize by it is called krb2test. Then, various clients, some reachable by DNS, others are workstations on a local network, but the result is always the same.
Right now, just wondering if I've missed an obvious step.
On the KDC, called krbtest created a kdc.conf, ran kstash which created a key in /var/heimal.
kadmin -l init MY.DOMAIN add scott
add --random-key host/krb2test.my.domain ext_keytab=/tmp/krb2test.keytab host/krb2test.my.domain
Add an /etc/krb5.conf file on krb2test. Running kinit scott and putting in scott's password shows a ticket and so on. Change krb2test's /etc/ssh/sshd_config file to allow GSSAPI authentication (as per the handbook article.)
Lastly on a client, copy over the same krb5.conf. kinit scott works, shows a ticket.
Then I try ssh -o GSSAPIAuthentication=yes scott@krb2test. As I understand it, I should be able to login without a password. However, it asks for a password and doesn't accept the kerberos one.
These are three jails on the same host, and all can reach the others through DNS. As they're on the same host, time is identical. Running ssh -vvv shows
debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password
So, obviously, I'm misunderstanding or overlooking something but not sure what and would be grateful for any suggestions.
|Thread||Thread Starter||Forum||Replies||Last Post|
|Is Kerberos suitable?||bsdperson||FreeBSD Security||0||25th August 2010 02:14 PM|