[Bug 675448] Re: ssh does not authenticate against kerberos

Thomas Schweikle 675448 at bugs.launchpad.net
Wed Nov 17 12:04:17 GMT 2010 

First of all, because it makes me angry: WHERE IS A WAY IN LAUNCHPAD TO
ACCESS BUGS REPORTED BY ME WITHOUT KNOWING THE BUG
ID??????????????????????? Seems missing, was there. I'd really like to
have it back! Launchpad is nonsense if I can't access bug reports
without knowledge of the URL.

OK. Maybe someone notices it this way!


I've changed setup slightly to make it more convenient with DNS:

192.168.1.24 kvm-test
192.168.1.25 auth
192.168.1.26 UB0001

all names are resolved:
! UB0001:~% host kvm-test
! kvm-test.local has address 192.168.1.24
! UB0001:~% host ub0001
! ub0001.local has address 192.168.1.26
! UB0001:~% host auth
! auth.local has address 192.168.1.25

Principals are created:
! host/UB0001.local at XOMPU.DE
! host/auth.local at XOMPU.DE
! host/kvm-test.local at XOMPU.DE

Keytab is updated. I've used
! ank -randkey host/kvm-test
! ktadd -k /tmp/krb5.keytab -norandkey host/kvm-test

The generated file /tmp/krb5.keytab was copied to the machine in question.
All fine so far. Logging in to kvm-test succeeds with the krb5-password:
! Linux kvm-test 2.6.35-22-server #35-Ubuntu SMP
! Sat Oct 16 22:02:33 UTC 2010 x86_64 GNU/Linux Ubuntu 10.10
!
! Welcome to the Ubuntu Server!
! * Documentation:  http://www.ubuntu.com/server/doc
! Last login: Wed Nov 17 12:38:53 2010 from ub0001.local
! tu at kvm-test:~$ klist
! Ticket cache: FILE:/tmp/krb5cc_2023_AM9554
! Default principal: tu at LOCAL
!
! Valid starting     Expires            Service principal
! 11/17/10 12:46:29  11/17/10 22:46:29  krbtgt/LOCAL at LOCAL
!        renew until 11/18/10 12:46:19

Now since I've got a ticket I might login to auth or ub0001 without authehticating again:
! tu at kvm-test:~$ ssh ub0001
! tu at ub0001's password: 

No? Didn't I received a tgt from the krb5-server?
! tu at kvm-test:~$ klist
! Ticket cache: FILE:/tmp/krb5cc_2023_AM9554
! Default principal: tu at LOCAL
!
! Valid starting     Expires            Service principal
! 11/17/10 12:46:29  11/17/10 22:46:29  krbtgt/LOCAL at LOCAL
!        renew until 11/18/10 12:46:19

I did. Not working? OK. Trying rsh.
! UB0001:~% rsh -x kvm-test
! UB0001:~%                 

Fails without notice. Looks like something realy going wrong. Trying the auth-server all alone:
! UB0001:~% ssh auth
! tu at auth's password: 
! Linux auth 2.6.32-25-server #45-Ubuntu SMP
!  Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux Ubuntu 10.04.1 LTS
!
! Welcome to the Ubuntu Server!
! * Documentation:  http://www.ubuntu.com/server/doc
!
! Last login: Wed Nov 17 12:41:30 2010 from ub0001.xompu.de
! tu at auth:~$ klist
! Ticket cache: FILE:/tmp/krb5cc_1000_mB3672
! Default principal: tu at LOCAL
!
! Valid starting     Expires            Service principal
! 11/17/10 12:56:52  11/17/10 22:56:52  krbtgt/LOCAL at LOCAL
!       renew until 11/18/10 12:56:52

Looks OK. Now from self to self:
! tu at auth:~$ ssh auth
! tu at auth's password: 

The same for rsh, telnet, ... all want, if not failing silently, the
password for the user.

-- 
ssh does not authenticate against kerberos
https://bugs.launchpad.net/bugs/675448
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list