1

I want to authenticate with SSH through Kerberos SSO. Now when I'm logged in with my user principal on sourcehost I get my Kerberos Ticket but can't use it to SSH into targethost.

The problem seems to be the hostname. I have a host principal host/[email protected] but no matter if I ssh targethost or ssh targethost.example.com it gets translated into host principal host/[email protected] (see error message below), which doesn't exist.

I might be wrong, but I think it should be the other way around and both ssh targethost and ssh targethost.example.com should be translated into host principal host/[email protected].

Here's the error:

$ ssh targethost.example.com -v
...
debug1: Unspecified GSS failure.  Minor code may provide more information
Server host/[email protected] not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server host/[email protected] not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
...
debug1: Next authentication method: password
[email protected]'s password:

Can anybody explain how the host principal is derived from the hostname and how this can be configured (I'm on Ubuntu by the way)?

Edit:

grawity's answer led me to a solution that I think is a good one for my configuration.

  • I found in Garman's Kerberos book that KDC-side canonicalization was the preferred way.
  • For my LDAP-backed KDC I found in the Kerberos documentation (at the bottom of this page) the way how this can be realized.

So after creating the host principal with kdadmin.local / addprinc with the FQDN I had to add an alias to the new principal entry in LDAP by running ldapmodify with the following input:

dn: krbPrincipalName=host/[email protected],cn=EXAMPLE.COM,cn=krbContainer,dc=example,dc=com
replace: krbCanonicalName
krbCanonicalName: host/[email protected]
-
add: krbPrincipalName
krbPrincipalName: host/[email protected]
Improve this question

1 Answer 1

Reset to default
2

Traditionally, Kerberos has used reverse-DNS to canonicalize the principal name. That is, after resolving targethost.example.com to an IP address, it tries to resolve the address back to the "canonical" name, and uses that for the principal.

If your targethost was resolved via /etc/hosts, then the first name in the corresponding line will be used as the "canonical" name:

# good:
1.2.3.4  targethost.example.com  targethost

# bad:
1.2.3.4  targethost  targethost.example.com

If you want, you can turn off DNS-based canonicalization entirely via /etc/krb5.conf:

[libdefaults]
    dns_canonicalize_hostname = false

...and simply create two principals for the host – one for the short name, one for the long one. (That's actually what Active Directory does, and it's not unlike how SSL/TLS behaves – it's always safer to directly use the user input rather than ask DNS.)

Improve this answer
4
  • Thanks a lot for the hints! My /etc/hosts files were already "good" and running nslookup targethost and then nslookup for the IP resulted in FQDN. Changing them to "bad" didn't change anything. I suppose there are various configurations possible for hostname resolution.
    – bassjoe
    Commented Jan 12, 2017 at 19:42
  • I found the solution thanks to the term "canonicalization" you mentioned. I'll add it to the question. I did not try to turn off canonicalization off. Thanks again!
    – bassjoe
    Commented Jan 12, 2017 at 19:44
  • @bassjoe: nslookup is the wrong tool to check, though. Use getent ahosts.
    – grawity_u1686
    Commented Jan 13, 2017 at 7:35
  • On a fresh Fedora 27 installation, after ipa-client-install, I needed to modify this entry in the /etc/krb5.conf to make it possible to run ssh shortname and have kerberos auth work like it did in Fedora 26 and before.
    – bgStack15
    Commented Nov 28, 2017 at 4:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .