Date: Wed, 29 Dec 2004 16:50:49 -0600 From: Kirk Strauser <kirk@strauser.com> To: freebsd-questions@freebsd.org Subject: SSHing to a kerberized jail behind a NAT/firewall Message-ID: <200412291650.49967.kirk@strauser.com>
next in thread | raw e-mail | index | archive | help
--nextPart1197210.nXsElJD84p Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I apologize in advance if this question is pretty information-dense. I'm using the kdc in the 5.3 base system as an authentication server for my home LAN. I can use kinit to get a TGT from the server from machines on the LAN and elsewhere on the Internet, and I can use SSH with the "GSSAPIAuthentication yes" option to connect to my main server via IPv4 or IPv6. So far, so good. Next, I decided to kerberize the SSH daemon inside one of my jail servers, virtual1.honeypot.net, so I created a principal for it=20 (host/virtual1.honeypot.net) and extracted that into the jail's /etc/keytab file. Now, I can SSH to that machine from any of the hosts on my LAN, but when I try to connect from the outside world using the FQDN of the jail, I get a lot of errors like this in kdc.log: 2004-12-29T16:34:58 TGS-REQ kirk@HONEYPOT.NET from IPv4:1.2.3.4 for krb= tgt/CONPOINT.COM@HONEYPOT.NET 2004-12-29T16:34:58 Server not found in database: krbtgt/CONPOINT.COM@H= ONEYPOT.NET: No such entry in the database and "ssh -v virtual1.honeypot.net" fails with messages like: debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1= p1-7 debug1: Miscellaneous failure Server not found in Kerberos database HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain name. My questions are: 1) Why can I use Kerberos to authenticate to that jail server from inside my LAN, but not from outside (especially when I can connect to its parent machine from the outside world)? 2) Where on earth did that "krbtgt/CONPOINT.COM@HONEYPOT.NET" request come from? =2D-=20 Kirk Strauser --nextPart1197210.nXsElJD84p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iD8DBQBB0zTJ5sRg+Y0CpvERAkOWAJ9JcS5zCwdXw+YEKcEKwBbWMwZ37gCgoitg SdXN8tRVrTY4U1PmX6o7E9o= =Xu3C -----END PGP SIGNATURE----- --nextPart1197210.nXsElJD84p--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412291650.49967.kirk>