Kerberised ssh <host> only works if first command after kinit is telnet <host>

Hi,
I am trying to set up a Kerberised authentication environment.

The test environment right now consists of one Solaris 10 host and one
FreeBSD 6.1 host.

The Solaris 10 machine is acting as KDC and is running MIT Kerberos V 1.5.1.

Except for the KDC all utilitities are the OS default (which means
Heimdal for the FreeBSD host and I believe some patched up MIT for the
Solaris host).

What I don't understund however is what happens when I request host
tickets (or whatever is the problem), so I just illustrate it by doing
some copy paste and hope someone has an idea. Sorry for the extreme
verbosity, I dont know what information is useful so I attached all.

gustafg.bakburk<~>$ kinit
gustafg@xxxxxxxxxxxxx's Password:
kinit: NOTICE: ticket renewable lifetime is 0

[kdc.log] Aug 28 13:29:38 mamma krb5kdc[8675](info): AS_REQ (6 etypes
{16 5 23 3 2 1}) 172.20.32.111: ISSUE: authtime 1156764578, etypes
{rep=16 tkt=16 ses=16}, gustafg@xxxxxxxxxxxxx for
krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx

gustafg.bakburk<~>$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: gustafg@xxxxxxxxxxxxx
Cache version: 4

Server: krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 28 13:29:38 2006
End time: Aug 28 23:29:38 2006
Renew till: Aug 28 13:29:38 2006
Ticket flags: renewable, initial
Addresses: IPv4:172.20.32.111

gustafg.bakburk<~>$ ssh mamma
Password:

Aug 28 13:30:21 mamma krb5kdc[8675](info): TGS_REQ (6 etypes {16 5 23 3
2 1}) 172.20.32.111: ISSUE: authtime 1156764578, etypes {rep=16 tkt=16
ses=16}, gustafg@xxxxxxxxxxxxx for host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Aug 28 13:30:21 mamma krb5kdc[8675](info): TGS_REQ (6 etypes {16 5 23 3
2 1}) 172.20.32.111: TGT NOT FORWARDABLE: authtime 1156764578,
gustafg@xxxxxxxxxxxxx for krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx, KDC can't
fulfill requested option

^-- The forwardable thing is not the problem, I can remove that problem
by doing 'kinit -f' and things will still not work (maybe obvious to you
but wasn't to me, I suppose that is because PAM or something is trying
to get a new ticket?).

gustafg.bakburk<~>$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: gustafg@xxxxxxxxxxxxx
Cache version: 4

Server: krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 28 13:29:38 2006
End time: Aug 28 23:29:38 2006
Renew till: Aug 28 13:29:38 2006
Ticket flags: renewable, initial
Addresses: IPv4:172.20.32.111

Server: host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 3
Auth time: Aug 28 13:29:38 2006
Start time: Aug 28 13:30:21 2006
End time: Aug 28 23:29:38 2006
Ticket flags: transited-policy-checked
Addresses: IPv4:172.20.32.111

gustafg.bakburk<~>$ telnet -x mamma
Trying 172.20.32.110...
Connected to mamma.nms.tele2.net.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/mamma.nms.tele2.net@xxxxxxxxxxxxx)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum
verification failed: Bad encryption type ]
[ Trying KERBEROS5 (host/mamma.nms.tele2.net@xxxxxxxxxxxxx)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum
verification failed: Bad encryption type ]
Connection closed by foreign host.

[kdc.log] Aug 28 13:32:02 mamma krb5kdc[8675](info): TGS_REQ (1 etypes
{1}) 172.20.32.111: ISSUE: authtime 1156764578, etypes {rep=16 tkt=16
ses=1}, gustafg@xxxxxxxxxxxxx for host/mamma.nms.tele2.net@xxxxxxxxxxxxx

gustafg.bakburk<~>$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: gustafg@xxxxxxxxxxxxx

Issued Expires Principal
Aug 28 13:29:38 Aug 28 23:29:38 krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Aug 28 13:30:21 Aug 28 23:29:38 host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Aug 28 13:32:02 Aug 28 23:29:38 host/mamma.nms.tele2.net@xxxxxxxxxxxxx

^--- Now we have 2 host tickets???

gustafg.bakburk<~>$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: gustafg@xxxxxxxxxxxxx
Cache version: 4

Server: krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 28 13:29:38 2006
End time: Aug 28 23:29:38 2006
Renew till: Aug 28 13:29:38 2006
Ticket flags: renewable, initial
Addresses: IPv4:172.20.32.111

Server: host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 3
Auth time: Aug 28 13:29:38 2006
Start time: Aug 28 13:30:21 2006
End time: Aug 28 23:29:38 2006
Ticket flags: transited-policy-checked
Addresses: IPv4:172.20.32.111

Server: host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 3
Session key: des
Auth time: Aug 28 13:29:38 2006
Start time: Aug 28 13:32:02 2006
End time: Aug 28 23:29:38 2006
Ticket flags: transited-policy-checked
Addresses: IPv4:172.20.32.111

gustafg.bakburk<~>$ kdestroy

gustafg@xxxxxxxxxxxxx's Password:
kinit: NOTICE: ticket renewable lifetime is 0

gustafg.bakburk<~>$ telnet -x mamma
Trying 172.20.32.110...
Connected to mamma.nms.tele2.net.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/mamma.nms.tele2.net@xxxxxxxxxxxxx)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum
verification failed: Bad encryption type ]
[ Trying KERBEROS5 (host/mamma.nms.tele2.net@xxxxxxxxxxxxx)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum
verification failed: Bad encryption type ]
Connection closed by foreign host.

gustafg.bakburk<~>$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: gustafg@xxxxxxxxxxxxx
Cache version: 4

Server: krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 28 13:33:15 2006
End time: Aug 28 23:33:15 2006
Renew till: Aug 28 13:33:15 2006
Ticket flags: renewable, initial
Addresses: IPv4:172.20.32.111

Server: host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Ticket etype: des3-cbc-sha1, kvno 3
Session key: des
Auth time: Aug 28 13:33:15 2006
Start time: Aug 28 13:33:27 2006
End time: Aug 28 23:33:15 2006
Ticket flags: transited-policy-checked
Addresses: IPv4:172.20.32.111

Aug 28 13:33:15 mamma krb5kdc[8675](info): AS_REQ (6 etypes {16 5 23 3 2
1}) 172.20.32.111: ISSUE: authtime 1156764795, etypes {rep=16 tkt=16
ses=16}, gustafg@xxxxxxxxxxxxx for krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx
Aug 28 13:33:27 mamma krb5kdc[8675](info): TGS_REQ (1 etypes {1})
172.20.32.111: ISSUE: authtime 1156764795, etypes {rep=16 tkt=16 ses=1},
gustafg@xxxxxxxxxxxxx for host/mamma.nms.tele2.net@xxxxxxxxxxxxx

gustafg.bakburk<~>$ ssh mamma
Last login: Mon Aug 28 12:38:46 2006 from bakburk.nms.tel
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
gustafg@mamma ~>

Aug 28 13:34:01 mamma krb5kdc[8675](info): TGS_REQ (6 etypes {16 5 23 3
2 1}) 172.20.32.111: TGT NOT FORWARDABLE: authtime 1156764795,
gustafg@xxxxxxxxxxxxx for krbtgt/NMS.TELE2.NET@xxxxxxxxxxxxx, KDC can't
fulfill requested option

---------------------------

Right now the only host ticket type in the KDC for the host mamma is:

kadmin.local: getprinc host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Principal: host/mamma.nms.tele2.net@xxxxxxxxxxxxx
Expiration date: [never]
Last password change: Mon Aug 28 12:37:22 CEST 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Aug 28 12:37:22 CEST 2006 (gustafg/admin@xxxxxxxxxxxxx)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Attributes:
Policy: [none]
kadmin.local:

root@mamma ~> klist -k -e -t
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
---- -----------------
---------------------------------------------------------
3 08/28/06 12:37:22 host/mamma.nms.tele2.net@xxxxxxxxxxxxx (Triple
DES cbc mode with HMAC/sha1)

I have experimented by using all supported encryption types and by using
only this one and I experience more or less the same result (there was a
point in time where I could do both ssh+telnet though, I believe it
doesn't work anymore because I removed some key type).

Regards,
Gustaf

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: Kerberos in Browser based Applications
    ... Just getting web-based authentication configured and working is only the beginning, ... forwarded ticket then be used to authenticate to other backend services on behalf of the user) ... I have set up a Kerberos realm. ... database) are both included as principals in KDC database and the ...
    (comp.protocols.kerberos)
  • Long Summary: Kerberos Questions
    ... pam_unix modules authenticates the user on the local machine, ... then the user will have to manually request a ticket. ... Kerberos receives your password from the machine and verifies it. ... can't use Kerberos to provide secure authentication to foreign systems. ...
    (SunManagers)
  • Re: New authentication protocol using kerberos
    ... Smartcard logon is implemented by kerberos ... "Ugo Chirico" wrote in message ... > If the the credentials are verified, i.e. the authentication succeeds, I ... > ticket from kerberos without passing a password. ...
    (microsoft.public.platformsdk.security)
  • ssh + kerberos: problems w/ -current to openbsd 4.2 KDC
    ... have most of the machines here doing ssh authentication via kerberos against a heimdal KDC running openbsd 4.2-release. ... the freebsd 7.0beta4 host i recently installed will not allow machines to ssh into it using kerberos credentials but it does successfully get and use tickets from the KDC when ...
    (freebsd-questions)
  • Re: Kerberos v. AD
    ... The TGT is the ticket initially given to an authenticating client once ... where does the Kerberos Ticket ... >> it is used exclusively for authentication. ...
    (microsoft.public.windows.server.active_directory)