SSHing to a kerberized jail behind a NAT/firewall

Kirk Strauser kirk at strauser.com
Wed Dec 29 14:50:53 PST 2004 

I apologize in advance if this question is pretty information-dense.

I'm using the kdc in the 5.3 base system as an authentication server for
my home LAN.  I can use kinit to get a TGT from the server from machines
on the LAN and elsewhere on the Internet, and I can use SSH with the
"GSSAPIAuthentication yes" option to connect to my main server via IPv4
or IPv6.  So far, so good.

Next, I decided to kerberize the SSH daemon inside one of my jail servers,
virtual1.honeypot.net, so I created a principal for it 
(host/virtual1.honeypot.net) and extracted that into the jail's
/etc/keytab file.

Now, I can SSH to that machine from any of the hosts on my LAN, but when
I try to connect from the outside world using the FQDN of the jail, I get
a lot of errors like this in kdc.log:

    2004-12-29T16:34:58 TGS-REQ kirk at HONEYPOT.NET from IPv4:1.2.3.4 for krbtgt/CONPOINT.COM at HONEYPOT.NET
    2004-12-29T16:34:58 Server not found in database: krbtgt/CONPOINT.COM at HONEYPOT.NET: No such entry in the database

and "ssh -v virtual1.honeypot.net" fails with messages like:

    debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-7
    debug1: Miscellaneous failure
    Server not found in Kerberos database

HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain
name.

My questions are:

  1) Why can I use Kerberos to authenticate to that jail server from inside
my LAN, but not from outside (especially when I can connect to its parent
machine from the outside world)?
  2) Where on earth did that "krbtgt/CONPOINT.COM at HONEYPOT.NET" request
come from?
-- 
Kirk Strauser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041229/64917d67/attachment.bin

More information about the freebsd-questions mailing list