DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th December 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
VPN Cryptographer
 
Join Date: Apr 2008
Location: NYC
Posts: 389
Thanked 31 Times in 25 Posts
Default Kerberos

I saw Oko mentioning this in another post, so thought I would ask here. I've been working off Tillman's Handbook article. https://www.freebsd.org/doc/handbook/kerberos5.html

KDC is krbtest. Server that should authorize by it is called krb2test. Then, various clients, some reachable by DNS, others are workstations on a local network, but the result is always the same.

Right now, just wondering if I've missed an obvious step.

On the KDC, called krbtest created a kdc.conf, ran kstash which created a key in /var/heimal.

Then
Code:
kadmin -l 
init MY.DOMAIN 
add scott
Now, still on the KDC using kadmin -l
Code:
add --random-key  host/krb2test.my.domain
ext_keytab=/tmp/krb2test.keytab host/krb2test.my.domain
Copy that /tmp file over to krb2test's /etc/ as krb5.keytab

Add an /etc/krb5.conf file on krb2test. Running kinit scott and putting in scott's password shows a ticket and so on. Change krb2test's /etc/ssh/sshd_config file to allow GSSAPI authentication (as per the handbook article.)

Lastly on a client, copy over the same krb5.conf. kinit scott works, shows a ticket.

Then I try ssh -o GSSAPIAuthentication=yes scott@krb2test. As I understand it, I should be able to login without a password. However, it asks for a password and doesn't accept the kerberos one.

These are three jails on the same host, and all can reach the others through DNS. As they're on the same host, time is identical. Running ssh -vvv shows

Code:
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
So, it's as if ssh isn't trying to use GSSAPI, or at least, not trying very hard. I'm wondering if I'm missing something really obvious. Running tcpdump on the KDC shows activity when running kinit on a host with the krb5.conf file, but nothing when running ssh.

So, obviously, I'm misunderstanding or overlooking something but not sure what and would be grateful for any suggestions.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Kerberos suitable? bsdperson FreeBSD Security 0 25th August 2010 02:14 PM


All times are GMT. The time now is 08:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick