I've got a Kerberos v5 server set up on a Linux machine, and it's working very well when connecting to other hosts (using samba, ldap or ssh), for which there are principals in my kerberos database.
Can I use kerberos to authenticate against localhost though? And if I can, are there reasons why I shouldn't? I haven't made a kerberos principal for localhost. I don't think I should; instead I think the principal should resolve to the machine's full hostname
. Is that possible?
I'd ideally like a way to configure this on just one server (whether kerberos, DNS, or ssh), but if each machine needs some custom configuration, that'd work too.
e.g $ ssh -v localhost
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/[email protected] not found in Kerberos database
...
EDIT:
So I had a bad /etc/hosts file. If I remember correctly, the original version I got with Ubuntu had two 127.0. IP addresses, something like:-
127.0.0.1 localhost
127.0.*1*.1 hostname
For no good reason, I'd changed mine a long time ago to:
127.0.0.1 localhost
127.0.*0*.1 hostname.example.com hostname
This seemed to work fine with everything until I tried out ssh with kerberos (a recent endeavour). Somehow this configuration led to sshd resolving the machine's kerberos principal to "host/localhost@\n", which I suppose makes sense if it uses /etc/hosts for forward and reverse dns lookups in preference to external dns. So I commented out the latter line, and sshd magically started authenticating with gssapi-with-mic. Awesome. (Then I investigated localhost and asked the question)
You can, using name canonicalization.
Modify
/etc/hosts
so it is similar to:This way localhost -> 127.0.0.1 -> hostname.domain.tld, which the server has a keytab entry for.
You will have to do this on each server.