Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

openssh with cross-realm kerberos (heimdal) authentication

from [Steven Van Acker] Network Security [Permanent Link]
Subject: openssh with cross-realm kerberos (heimdal) authentication
Date: Mon, 29 May 2006 15:45:51 +0200 
Hi,

I'm trying to get cross-realm authentication to work between A.COM and
B.NET for openssh.

The setup is as follows:

the KDC from A.COM has a principal user@A.COM.
the KDC from B.NET has the principal host/sshserver@B.NET
There's also a principal krbtgt/B.NET@A.COM on both KDC's.

The cross-realm authentication seems to work. After kinit user@A.COM and
attempting to ssh to user@sshserver I have the following tickets:

(deepstar/tachyon) ~$ klist 
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: user@A.COM

  Issued           Expires          Principal
May 29 15:07:18  May 30 01:09:24  krbtgt/A.COM@A.COM
May 29 15:07:20  May 30 01:09:24  krbtgt/B.NET@A.COM
May 29 15:07:19  May 30 01:09:24  host/sshserver@B.NET

But I can't login. When I get a ticket for user@B.NET and attempt to login, it 
works.
So at least I know the setup is correct.

The log from the KDC at B.NET shows something like this:

2006-05-29T15:07:19 TGS-REQ user@A.COM from IPv4:192.168.2.103 for 
host/sshserver@B.NET [proxiable, forwardable]
2006-05-29T15:07:19 Client not found in database: user@A.COM: No such entry in 
the database
2006-05-29T15:07:19 cross-realm A.COM -> B.NET
2006-05-29T15:07:19 sending 665 bytes to IPv4:192.168.2.103

Where 192.168.2.103 is the client aswell as the sshserver in this case...

This leads me to conclude that the SSH-server is trying to verify user@A.COM 
against the B.NET realm.

I'm not sure why this happens ? (krb5.conf should be setup correctly)

Does anyone have a similar problem and maybe a fix ?

I'm using openssh 4.2p1-8 (debian unstable)

kind regards,
-- Steven Van Acker
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Kerberos 5 authentication without password?, Darren Tucker
Next by Date:  Re: openssh with cross-realm kerberos (heimdal) authentication, Simon Wilkinson
Previous by Thread:  Publick key authentication problem, Frans Englich
Next by Thread:  Re: openssh with cross-realm kerberos (heimdal) authentication, Simon Wilkinson
Indexes:  [Date] [Thread] [Top] [All Lists]