Subject: Re: ssh(d) with kerberos on NetBSD 2.0?
To: None <hubert@feyrer.de>
From: Johan A.van Zanten <johan@giantfoo.org>
List: tech-security
Date: 09/19/2005 17:56:17
Hubert Feyrer <hubert@feyrer.de> wrote:
>
> Kerberos newbie stuff ahead...
>
> Following [1], I've setup Kerberos on NetBSD 2.0, and I can su(1) to my
> test-account and use "telnet localhost" and get logged in without
> password. Now I'd like to do the same with ssh. I have set
> "KerberosAuthentication yes" and just for kicks "AFSTokenPassing yes" and
> "KerberosTgtPassing yes" in /etc/ssh/sshd_config. Now I'm getting:
[smip]
"Decrypt integrity check failed" is most often seen when the password is
wrong. Are you being prompted for a password?
Assuming not, does your running sshd process have read privs on
/etc/krb5.keytab ? (Or where ever the extract service principal key is
stored?)
You probably ought to ssh to something other than localhost. Kerberos
service keys are tied to a specific hostname, and localhost probably
resolves to something different than the primary hostname of the machine.
So if the host you are logging into is name "foo.bar.com" and your
Kerberos realm is named "BAR.COM" then make sure there's a principal named
"host/foo.bar.com@BAR.COM" in your KDC's database, and make sure that
principal is extracted and stored in /etc/krb5.keytab on host foo.bar.com.
(And make sure that sshd can read that file, just in case you are doing
something unusual with the user sshd is running as, or in case it's
looking for the stashed service principal somewhere non-standard.)
Judging from the logs on my KDC, when i do:
ssh $hostname
...if i don't already have the tickets, ssh (the client) gets a TGT
(ticket-granting ticket) for my principal (johan@$REALMNAME), and then
gets a host/foo ticket, for me to login to host "foo". (You can see what
tickets you have with "klist").
Here's relevant output from 'sshd -d -d -d' for a successful login:
debug2: input_userauth_request: try method kerberos-2@ssh.com
debug3: mm_auth_krb5 entering
debug3: mm_request_send entering: type 39
debug3: monitor_read: checking request 39
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 40
Accepted kerberos-2@ssh.com for johan from 24.227.169.100 port 63889 ssh2
debug3: mm_send_keystate: Sending new keys: 0x12007cb00 0x12007c680
I hope this helps.
-johan