Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Dec 2004 16:50:49 -0600
From:      Kirk Strauser <kirk@strauser.com>
To:        freebsd-questions@freebsd.org
Subject:   SSHing to a kerberized jail behind a NAT/firewall
Message-ID:  <200412291650.49967.kirk@strauser.com>

next in thread | raw e-mail | index | archive | help
--nextPart1197210.nXsElJD84p
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I apologize in advance if this question is pretty information-dense.

I'm using the kdc in the 5.3 base system as an authentication server for
my home LAN.  I can use kinit to get a TGT from the server from machines
on the LAN and elsewhere on the Internet, and I can use SSH with the
"GSSAPIAuthentication yes" option to connect to my main server via IPv4
or IPv6.  So far, so good.

Next, I decided to kerberize the SSH daemon inside one of my jail servers,
virtual1.honeypot.net, so I created a principal for it=20
(host/virtual1.honeypot.net) and extracted that into the jail's
/etc/keytab file.

Now, I can SSH to that machine from any of the hosts on my LAN, but when
I try to connect from the outside world using the FQDN of the jail, I get
a lot of errors like this in kdc.log:

    2004-12-29T16:34:58 TGS-REQ kirk@HONEYPOT.NET from IPv4:1.2.3.4 for krb=
tgt/CONPOINT.COM@HONEYPOT.NET
    2004-12-29T16:34:58 Server not found in database: krbtgt/CONPOINT.COM@H=
ONEYPOT.NET: No such entry in the database

and "ssh -v virtual1.honeypot.net" fails with messages like:

    debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5 3.8.1=
p1-7
    debug1: Miscellaneous failure
    Server not found in Kerberos database

HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain
name.

My questions are:

  1) Why can I use Kerberos to authenticate to that jail server from inside
my LAN, but not from outside (especially when I can connect to its parent
machine from the outside world)?
  2) Where on earth did that "krbtgt/CONPOINT.COM@HONEYPOT.NET" request
come from?
=2D-=20
Kirk Strauser

--nextPart1197210.nXsElJD84p
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iD8DBQBB0zTJ5sRg+Y0CpvERAkOWAJ9JcS5zCwdXw+YEKcEKwBbWMwZ37gCgoitg
SdXN8tRVrTY4U1PmX6o7E9o=
=Xu3C
-----END PGP SIGNATURE-----

--nextPart1197210.nXsElJD84p--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412291650.49967.kirk>