Subject: SSH and Kerberos
To: None <tech-security@netbsd.org>
From: Daniel Cox <dcox@microbits.com.au>
List: tech-security
Date: 10/04/2002 15:21:34
I currently have a network with a number of Linux, OpenBSD=20
and FreeBSD servers. All work perfectly with Kerberos IV
and SSH (protocol V1).

NetBSD 1.6 also works properly as a workstation, ie. I
can run kinit and then ssh to other hosts without having to
enter a password.
BUT I cant connect to the NetBSD host with ssh from other
hosts - ssh did not have kerberos support compiled in for 1.5.2,
I thought I would try again with 1.6.

To simplify the situation I have setup a single test NetBSD host
all on its own and I am trying to ssh to itself.

I get the following error from sshd in debug mode.
- v5 authentication failed: 6
- v4 krb_rd_req: Can't decode authenticator (krb_rd_req)

My setup (from a completely fresh installation):

rc.conf:
hostname =3D test.domain.com
kdc =3D YES
ifconfig_fxp0 =3D "inet 192.168.1.28 netmask 255.255.255.0"
hosts:
192.168.1.28  test.domain.com test=20
krb5.conf:
[libdefaults]
 default_realm =3D DOMAIN.COM
[realms]
 DOMAIN.COM =3D {
  kdc =3D test.domain.com
  admin_server =3D test.domain.com
  default_domain =3D domain.com
  v4_name_convert =3D {
   host =3D {
    rcmd =3D host
   }
  }
 }
ssh/sshd_config:
...
Protocol 2,1
KerberosAuthentication yes
...
krb.conf
DOMAIN.COM
DOMAIN.COM test.domain.com admin server
krb.realms
domain.com DOMAIN.COM
.domain.com DOMAIN.COM
inetd.conf
(enabled telnet, kerberos-adm, kpasswd)
 #useradd -m dcox
 (no password entered)
#kstash
#kadmin -l
>init DOMAIN.COM
>add --random-key host/test.domain.com
>ext host/test.domain.com
>add dcox
  (entered a password)
>quit
#ktutil srvcreate
#/etc/rc.d/network start
#/etc/rc.d/inetd restart
#/etc/rc.d/kdc start

As root from first terminal
#sshd -d
I can now login from a second virtual terminal
as dcox using kerberos password.
#klist
shows kerberos V tickets:
 krbtgt/DOMAIN.OM@DOMAIN.COM
 host/test.domain.com@DOMAIN.COM

#telnet -ax test
(WORKS CORRECTLY - NO PASSWORD NEEDED)

For ssh to try IV authent
#kinit
#klist
now shows kerberos V and IV krbtgt

#ssh -1 -v test.domain.com
(shows failed kerberos attempts)
entering kerberos password at prompt does work properly
#klist
shows extra tickets including IV rcmd/test@DOMAIN.COM

The output of sshd shows the above mentioned errors
#info kth-krb
Explains that the v4 error may be because the srvtab is not
found or does not match the packet.
I have tried putting srvtab in /etc/kerberosIV
If its the packet - I am stuck on fixing that.

The MIT admin documentation for v5 says error 6 is=20
KRB5KDC_ERR_S_OLD_MAST_KVNO: Server's key is encrypted in an old master =
key=20

ssh using protocol 2 does not even attempt kerberos authentication
I am happy to stick with protocol 1.

Any ideas for further testing would be greatly appreciated.
Daniel Cox
Microbits.=09