kerberos authentication



Hi,

im just starting with kerberos, so im probably missing something obvious
here.

server:
PasswordAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes


client: (night:crawler 192.168.10.102)
~/.ssh/config
GSSAPIAuthentication yes

client:
[kerberos-test@night_crawler ~]$ kinit kerberos-test
kerberos-test@xxxxxxxxxxxxxx's Password:
[kerberos-test@night_crawler ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1013
Principal: kerberos-test@xxxxxxxxxxxxxx

Issued Expires Principal
Nov 27 13:14:34 Nov 27 23:14:34 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx



ssh wf
Permission denied (publickey,gssapi-with-mic).


klist
Credentials cache: FILE:/tmp/krb5cc_1013
Principal: kerberos-test@xxxxxxxxxxxxxx

Issued Expires Principal
Nov 27 13:14:34 Nov 27 23:14:34 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
Nov 27 13:15:03 Nov 27 23:14:34 host/wf.localdomain.de@xxxxxxxxxxxxxx



server:
kdc.log
2008-11-27T13:14:34 sending 493 bytes to IPv4:192.168.10.102
2008-11-27T13:14:34 AS-REQ kerberos-test@xxxxxxxxxxxxxx from
IPv4:192.168.10.102 for krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
2008-11-27T13:14:34 Client sent patypes: encrypted-timestamp
2008-11-27T13:14:34 Looking for PKINIT pa-data --
kerberos-test@xxxxxxxxxxxxxx
2008-11-27T13:14:34 Looking for ENC-TS pa-data --
kerberos-test@xxxxxxxxxxxxxx
2008-11-27T13:14:34 ENC-TS Pre-authentication succeeded --
kerberos-test@xxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96
2008-11-27T13:14:34 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc
2008-11-27T13:14:34 Using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2008-11-27T13:14:34 AS-REQ authtime: 2008-11-27T13:14:34 starttime:
unset endtime: 2008-11-27T23:14:34 renew till: unset
2008-11-27T13:14:34 sending 688 bytes to IPv4:192.168.10.102
2008-11-27T13:15:03 TGS-REQ kerberos-test@xxxxxxxxxxxxxx from
IPv4:192.168.10.102 for host/wf.localdomain.de@xxxxxxxxxxxxxx
[canonicalize]
2008-11-27T13:15:03 TGS-REQ authtime: 2008-11-27T13:14:34 starttime:
2008-11-27T13:15:03 endtime: 2008-11-27T23:14:34 renew till: unset
2008-11-27T13:15:03 sending 683 bytes to IPv4:192.168.10.102




after the ssh connect the principal wf (ssh server) is listed, but why
is ssh not connecting?



Relevant Pages

  • Re: Explanation of SSH
    ... I am still unclear on how SSH works exactly. ... Client issues SSH command and names server ... "Shopper" says "server sends back its public host and server keys ... Surely there is only one public key it sends ...
    (comp.security.ssh)
  • Re: ssh security question
    ... In my case - the client is a windows client and the ssh is embedded into the windows nx client. ... Is there any reason I can't run ssh-keygen on the server and copy the private key to the client - and the public key to the "authorised" directory? ... sniffer can catch your passwords, and it would make it trivial to log in ...
    (SSH)
  • Re: Trouble with X11 over SSH on Mandriva 2010.0
    ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
    (comp.os.linux.networking)
  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Publishing a SSH Server
    ... Your unix box cannot reply to SSH request, ... Create a client address set for your unix box (ip address from to are the ... Jim Harrison [ISA SE] ... In that case the server is a SecureNET client but still it doesn't work.... ...
    (microsoft.public.isa.publishing)