Kerberos & localhost

Posted by Alex Leach on Server Fault See other posts from Server Fault or by Alex Leach
Published on 2012-05-30T13:53:17Z Indexed on 2012/05/30 22:42 UTC
Read the original article Hit count: 449

Filed under:
|
|

I've got a Kerberos v5 server set up on a Linux machine, and it's working very well when connecting to other hosts (using samba, ldap or ssh), for which there are principals in my kerberos database.

Can I use kerberos to authenticate against localhost though? And if I can, are there reasons why I shouldn't? I haven't made a kerberos principal for localhost. I don't think I should; instead I think the principal should resolve to the machine's full hostname. Is that possible?

I'd ideally like a way to configure this on just one server (whether kerberos, DNS, or ssh), but if each machine needs some custom configuration, that'd work too.

e.g $ ssh -v localhost

...
debug1: Unspecified GSS failure.  Minor code may provide more information
Server host/[email protected] not found in Kerberos database
...

EDIT:

So I had a bad /etc/hosts file. If I remember correctly, the original version I got with Ubuntu had two 127.0. IP addresses, something like:-

127.0.0.1 localhost
127.0.*1*.1 hostname

For no good reason, I'd changed mine a long time ago to:

127.0.0.1    localhost
127.0.*0*.1    hostname.example.com hostname

This seemed to work fine with everything until I tried out ssh with kerberos (a recent endeavour). Somehow this configuration led to sshd resolving the machine's kerberos principal to "host/localhost@\n", which I suppose makes sense if it uses /etc/hosts for forward and reverse dns lookups in preference to external dns. So I commented out the latter line, and sshd magically started authenticating with gssapi-with-mic. Awesome. (Then I investigated localhost and asked the question)

© Server Fault or respective owner

Related posts about ssh

Related posts about localhost