SSHing to a kerberized jail behind a NAT/firewall
Kirk Strauser
kirk at strauser.com
Wed Dec 29 14:50:53 PST 2004
I apologize in advance if this question is pretty information-dense.
I'm using the kdc in the 5.3 base system as an authentication server for
my home LAN. I can use kinit to get a TGT from the server from machines
on the LAN and elsewhere on the Internet, and I can use SSH with the
"GSSAPIAuthentication yes" option to connect to my main server via IPv4
or IPv6. So far, so good.
Next, I decided to kerberize the SSH daemon inside one of my jail servers,
virtual1.honeypot.net, so I created a principal for it
(host/virtual1.honeypot.net) and extracted that into the jail's
/etc/keytab file.
Now, I can SSH to that machine from any of the hosts on my LAN, but when
I try to connect from the outside world using the FQDN of the jail, I get
a lot of errors like this in kdc.log:
2004-12-29T16:34:58 TGS-REQ kirk at HONEYPOT.NET from IPv4:1.2.3.4 for krbtgt/CONPOINT.COM at HONEYPOT.NET
2004-12-29T16:34:58 Server not found in database: krbtgt/CONPOINT.COM at HONEYPOT.NET: No such entry in the database
and "ssh -v virtual1.honeypot.net" fails with messages like:
debug1: match: OpenSSH_3.8.1p1 FreeBSD-20040419 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-7
debug1: Miscellaneous failure
Server not found in Kerberos database
HONEYPOT.NET is my LAN's realm, and conpoint.com is my home ISP's domain
name.
My questions are:
1) Why can I use Kerberos to authenticate to that jail server from inside
my LAN, but not from outside (especially when I can connect to its parent
machine from the outside world)?
2) Where on earth did that "krbtgt/CONPOINT.COM at HONEYPOT.NET" request
come from?
--
Kirk Strauser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041229/64917d67/attachment.bin
More information about the freebsd-questions
mailing list