Hi, I am trying to get GSSAPI auth to work and the problem ist that my kerberos server and the ssh server I want to connect to are behind a nat. My setup looks like this:
my_laptop -------- virtual_machine_host ----- kerberos & ssh server (any ip here) 128.131.XX.YY - 10.0.0.1 10.0.0.2 & 10.0.0.3 Port forwads are done by iptables on my virtual-machine-host. Port 22 ist forwarded to my ssh server. I can get a kerberos ticket easily on my laptop: joerg@laptop ~ % kinit joerg Password for [email protected]: joerg@laptop ~ % klist -af Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 08/01/12 09:34:39 08/01/12 23:34:39 krbtgt/[email protected] renew until 08/02/12 09:35:00, Flags: FPRI Addresses: (none) Connecting to my virtual machine host with gssapi auth also works like expected but when I try to connect to my ssh server gssapi fails (No valid Key exchange context) and I am prompted for a password. Connecting via ssh from my kerberos server to my ssh server internally works too. The stange thing i found is that even with NO host keytab on my ssh server I do get a ticket when trying to connect. joerg@laptop ~ % kinit joerg Password for [email protected]: joerg@laptop ~ % klist -af Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] renew until 08/02/12 09:47:03, Flags: FPRI Addresses: (none) joerg@blackmini ~ % ssh root@virtual-machine-host Warning: Permanently added 'virtual-machine-host,128.131.XX.YY' (ECDSA) to the list of known hosts. Password: 130 joerg@laptop ~ % klist -af Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 08/01/12 09:46:42 08/01/12 23:46:42 krbtgt/[email protected] renew until 08/02/12 09:47:03, Flags: FPRI Addresses: (none) 08/01/12 09:46:57 08/01/12 23:46:42 host/virtual-machine-host@ renew until 08/02/12 09:47:03, Flags: FPRT Addresses: (none) 08/01/12 09:46:57 08/01/12 23:46:42 host/[email protected] renew until 08/02/12 09:47:03, Flags: FPRT Addresses: (none) I already read a lot about address less tickets and "rdns=no", but all this seems way outdated. The config option "extra_addresses" looks promising but I didn't have success with this either. I am working on ubuntu laptop 11.04 and ssh server is Debian Squeeze. Any ideas or further suggestions on what I could try to get this working? This would be quite important for me. thanks, Jörg ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
