tech-security: ssh(d) with kerberos on NetBSD 2.0?

Subject: ssh(d) with kerberos on NetBSD 2.0?
To: None <tech-security@NetBSD.org>
From: Hubert Feyrer <hubert@feyrer.de>
List: tech-security
Date: 09/19/2005 23:20:35
Kerberos newbie stuff ahead...

Following [1], I've setup Kerberos on NetBSD 2.0, and I can su(1) to my 
test-account and use "telnet localhost" and get logged in without 
password. Now I'd like to do the same with ssh. I have set 
"KerberosAuthentication yes" and just for kicks "AFSTokenPassing yes" and 
"KerberosTgtPassing yes" in /etc/ssh/sshd_config. Now I'm getting:

 	ktest@noon: {43} ssh localhost
 	Connection closed by ::1
 	ktest@noon: {44}

Not very exhaustive, running "ssh -v" gives:

 	...
 	debug1: SSH2_MSG_SERVICE_ACCEPT received
 	debug1: Authentications that can continue:
 	publickey,password,keyboard-interactive,kerberos-2@ssh.com
 	debug1: Next authentication method: kerberos-2@ssh.com
 	debug1: Authentications that can continue:
 	publickey,password,keyboard-interactive,kerberos-2@ssh.com
 	Connection closed by ::1
 	debug1: Calling cleanup 0x805cb1c(0x0)

Doesn't ring a bell for me either, so running "sshd -d -d -d" gives:

 	debug1: userauth-request for user ktest service ssh-connection method kerberos-2@ssh.com
 	debug1: attempt 1 failures 1
 	debug2: input_userauth_request: try method kerberos-2@ssh.com
 	debug3: mm_auth_krb5 entering
 	debug3: mm_request_send entering: type 39
 	debug3: monitor_read: checking request 39
===>	debug1: Kerberos v5 authentication failed: Decrypt integrity check failed
 	debug3: mm_request_send entering: type 40
 	debug2: monitor_read: 39 used once, disabling now
 	Failed kerberos for ktest from ::1 port 51303 ssh2
 	debug3: mm_request_receive entering
 	debug3: mm_request_receive_expect entering: type 40
 	debug3: mm_request_receive entering
 	Failed kerberos-2@ssh.com for ktest from ::1 port 51303 ssh2
 	debug1: userauth-request for user ktest service ssh-connection method kerberos-2@ssh.com
 	debug1: attempt 2 failures 2
 	debug2: input_userauth_request: try method kerberos-2@ssh.com
 	debug3: mm_auth_krb5 entering
 	debug3: mm_request_send entering: type 39
 	debug3: monitor_read: checking request 39
 	monitor_read: unpermitted request 39
 	debug1: Calling cleanup 0x80612f0(0x8090540)
 	debug1: krb5_cleanup_proc called
 	noon# debug3: mm_request_receive_expect entering: type 40
 	debug3: mm_request_receive entering
 	debug1: Calling cleanup 0x8066d40(0x0)

The only vaguely useful thing I see in there is "Kerberos v5 
authentication failed: Decrypt integrity check failed", not that I have an 
idea what that's supposed to be.

Do I have to add a seperate principal for the ssh service in addition to 
host/localhost and host/noon (the machine's name)?

Any clues?


  - Hubert

[1] http://www.netbsd.org/Documentation/network/#kerberos