Subject: SSH and Kerberos
To: None <netbsd-users@netbsd.org>
From: Daniel Cox <dcox@microbits.com.au>
List: netbsd-users
Date: 07/25/2002 12:59:15
I currently have a network with a number of Linux, OpenBSD=20
and FreeBSD servers. All work perfectly with Kerberos IV
and SSH (protocol V1).

NetBSD 1.6 also works properly as a workstation, ie. I
can run kinit and then ssh to other hosts without having to
enter a password.
BUT I cant connect to the NetBSD host with ssh from other
hosts - ssh did not have kerberos support compiled in for 1.5.2,
I thought I would try again with 1.6 BETA 4.

To simplify the situation I have setup a single test NetBSD host
all on its own and I am trying to ssh to itself.

I get the following error from sshd in debug mode.
- v5 authentication failed: 6
- v4 krb_rd_req: Can't decode authenticator (krb_rd_req)

My setup (from a completely fresh installation):

rc.conf:
 hostname =3D test.domain.com
 kdc =3D YES
 ifconfig_fxp0 =3D "inet 192.168.1.28 netmask 255.255.255.0"
hosts:
 192.168.1.28  test.domain.com test=20
krb5.conf:
 [libdefaults]
  default_realm =3D DOMAIN.COM
 [realms]
  DOMAIN.COM =3D {
   kdc =3D test.domain.com
   admin_server =3D test.domain.com
   default_domain =3D domain.com
   v4_name_convert =3D {
    host =3D {
     rcmd =3D host
    }
   }
  }
ssh/sshd_config:
 ...
 Protocol 2,1
 KerberosAuthentication yes
 ...
krb.conf
 DOMAIN.COM
 DOMAIN.COM test.domain.com admin server
krb.realms
 domain.com DOMAIN.COM
 .domain.com DOMAIN.COM
inetd.conf
 (enabled telnet, kerberos-adm, kpasswd)

#useradd -m dcox
  (no password entered)
#kstash
#kadmin -l
 >init DOMAIN.COM
 >add --random-key host/test.domain.com
 >ext host/test.domain.com
 >add dcox
   (entered a password)
 >quit
#ktutil srvcreate
#/etc/rc.d/network start
#/etc/rc.d/inetd restart
#/etc/rc.d/kdc start


As root from first terminal
#sshd -d

I can now login from a second virtual terminal
as dcox using kerberos password.
#klist
 shows kerberos V tickets:
 krbtgt/DOMAIN.COM@DOMAIN.COM
 host/test.domain.com@DOMAIN.COM

#telnet -ax test
 (WORKS CORRECTLY - NO PASSWORD NEEDED)

For ssh to try IV authent
#kinit
#klist
 now shows kerberos V and IV krbtgt

#ssh -1 -v test.domain.com
 (shows failed kerberos attempts)
 entering kerberos password at prompt does work properly
#klist
 shows extra tickets including IV rcmd/test@DOMAIN.COM

The output of sshd shows the above mentioned errors
#info kth-krb
Explains that the v4 error may be because the srvtab is not
found or does not match the packet.
I have tried putting srvtab in /etc/kerberosIV
If its the packet - I am stuck on fixing that.

The MIT admin documentation for v5 says error 6 is=20
KRB5KDC_ERR_S_OLD_MAST_KVNO: Server's key is encrypted in an old master =
key=20

ssh using protocol 2 does not even attempt kerberos authentication
I am happy to stick with protocol 1.

Any ideas for further testing would be greatly appreciated.
Daniel Cox
Microbits.