OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Cox (dcox_at_microbits.com.au)
Date: Fri Oct 04 2002 - 00:51:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I currently have a network with a number of Linux, OpenBSD
    and FreeBSD servers. All work perfectly with Kerberos IV
    and SSH (protocol V1).

    NetBSD 1.6 also works properly as a workstation, ie. I
    can run kinit and then ssh to other hosts without having to
    enter a password.
    BUT I cant connect to the NetBSD host with ssh from other
    hosts - ssh did not have kerberos support compiled in for 1.5.2,
    I thought I would try again with 1.6.

    To simplify the situation I have setup a single test NetBSD host
    all on its own and I am trying to ssh to itself.

    I get the following error from sshd in debug mode.
    - v5 authentication failed: 6
    - v4 krb_rd_req: Can't decode authenticator (krb_rd_req)

    My setup (from a completely fresh installation):

    rc.conf:
    hostname = test.domain.com
    kdc = YES
    ifconfig_fxp0 = "inet 192.168.1.28 netmask 255.255.255.0"
    hosts:
    192.168.1.28 test.domain.com test
    krb5.conf:
    [libdefaults]
     default_realm = DOMAIN.COM
    [realms]
     DOMAIN.COM = {
      kdc = test.domain.com
      admin_server = test.domain.com
      default_domain = domain.com
      v4_name_convert = {
       host = {
        rcmd = host
       }
      }
     }
    ssh/sshd_config:
    ...
    Protocol 2,1
    KerberosAuthentication yes
    ...
    krb.conf
    DOMAIN.COM
    DOMAIN.COM test.domain.com admin server
    krb.realms
    domain.com DOMAIN.COM
    .domain.com DOMAIN.COM
    inetd.conf
    (enabled telnet, kerberos-adm, kpasswd)
     #useradd -m dcox
     (no password entered)
    #kstash
    #kadmin -l
    >init DOMAIN.COM
    >add --random-key host/test.domain.com
    >ext host/test.domain.com
    >add dcox
      (entered a password)
    >quit
    #ktutil srvcreate
    #/etc/rc.d/network start
    #/etc/rc.d/inetd restart
    #/etc/rc.d/kdc start

    As root from first terminal
    #sshd -d
    I can now login from a second virtual terminal
    as dcox using kerberos password.
    #klist
    shows kerberos V tickets:
     krbtgt/DOMAIN.OMDOMAIN.COM
     host/test.domain.comDOMAIN.COM

    #telnet -ax test
    (WORKS CORRECTLY - NO PASSWORD NEEDED)

    For ssh to try IV authent
    #kinit
    #klist
    now shows kerberos V and IV krbtgt

    #ssh -1 -v test.domain.com
    (shows failed kerberos attempts)
    entering kerberos password at prompt does work properly
    #klist
    shows extra tickets including IV rcmd/testDOMAIN.COM

    The output of sshd shows the above mentioned errors
    #info kth-krb
    Explains that the v4 error may be because the srvtab is not
    found or does not match the packet.
    I have tried putting srvtab in /etc/kerberosIV
    If its the packet - I am stuck on fixing that.

    The MIT admin documentation for v5 says error 6 is
    KRB5KDC_ERR_S_OLD_MAST_KVNO: Server's key is encrypted in an old master key

    ssh using protocol 2 does not even attempt kerberos authentication
    I am happy to stick with protocol 1.

    Any ideas for further testing would be greatly appreciated.
    Daniel Cox
    Microbits.