From owner-freebsd-questions@FreeBSD.ORG Wed Dec 29 22:50:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EFDF16A4CE for ; Wed, 29 Dec 2004 22:50:53 +0000 (GMT) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA82A43D53 for ; Wed, 29 Dec 2004 22:50:52 +0000 (GMT) (envelope-from kirk@strauser.com) Received: from localhost (localhost [127.0.0.1]) by kanga.honeypot.net (Postfix) with ESMTP id 0EE0321C972 for ; Wed, 29 Dec 2004 16:50:52 -0600 (CST) Received: from kanga.honeypot.net ([127.0.0.1]) by localhost (kanga.honeypot.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08390-14 for ; Wed, 29 Dec 2004 16:50:51 -0600 (CST) Received: from janus.daycos.com (janus.daycos.com [204.26.70.77]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by kanga.honeypot.net (Postfix) with ESMTP id 0D2A821C85C for ; Wed, 29 Dec 2004 16:50:51 -0600 (CST) From: Kirk Strauser To: freebsd-questions@freebsd.org Date: Wed, 29 Dec 2004 16:50:49 -0600 User-Agent: KMail/1.7.2 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1197210.nXsElJD84p"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412291650.49967.kirk@strauser.com> X-Virus-Scanned: amavisd-new at honeypot.net Subject: SSHing to a kerberized jail behind a NAT/firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 22:50:53 -0000 --nextPart1197210.nXsElJD84p Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I apologize in advance if this question is pretty information-dense. I'm using the kdc in the 5.3 base system as an authentication server for my home LAN. I can use kinit to get a TGT from the server from machines on the LAN and elsewhere on the Internet, and I can use SSH with the "GSSAPIAuthentication yes" option to connect to my main server via IPv4 or IPv6. So far, so good. Next, I decided to kerberize the SSH daemon inside one of my jail servers, virtual1.honeypot.net, so I created a principal for it=20 (host/virtual1.honeypot.net) and extracted that into the jail's /etc/keytab file. Now, I can SSH to that machine from any of the hosts on my LAN, but when I try to connect from the outside world using the FQDN of the jail, I get a lot of errors like this in kdc.log: 2004-12-29T16:34:58 TGS-REQ kirk@HONEYPOT.NET from IPv4:1.2.3.4 for krb= tgt/CONPOINT.COM@HONEYPOT.NET 2004-12-29T16:34:58 Server not found in database: krbtgt/CONPOINT.COM@H= ONEYPOT.NET: No such entry in the database and "ssh -v virtual1.honeypot.net" fails with messages like: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1= p1-7 debug1: Miscellaneous failure Server not found in Kerberos database HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain name. My questions are: 1) Why can I use Kerberos to authenticate to that jail server from inside my LAN, but not from outside (especially when I can connect to its parent machine from the outside world)? 2) Where on earth did that "krbtgt/CONPOINT.COM@HONEYPOT.NET" request come from? =2D-=20 Kirk Strauser --nextPart1197210.nXsElJD84p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iD8DBQBB0zTJ5sRg+Y0CpvERAkOWAJ9JcS5zCwdXw+YEKcEKwBbWMwZ37gCgoitg SdXN8tRVrTY4U1PmX6o7E9o= =Xu3C -----END PGP SIGNATURE----- --nextPart1197210.nXsElJD84p--