Kerberos - /etc/hosts can be a killer.

Wed 26 July 2006

Filed under Sec.

Tags Lamer Moments Security

My own private war is with my habits. So often when testing web services, I will setup a name in /etc/hosts allowing a quick and dirty approach to debugging, test, or whatever.

I use kerberos and this is a problem, considering that I added this:

198.145.247.218   test.asylumware.com

When you connect to a kerberized host with SSH, the Kerb client does a PTR lookup on the forward resolved IP address. This name is 'who' it will look for a ticket from when connecting.

After months of work, suddenly I could not longer auth via kerberos. I couldn't see the problem, and I couldn't remember where to look. "ssh -v menionus@embassy.asylumware.com" reveals 'Server Not Found in Kerberos Database', and it's freaky, puzzling and can be depressing. Always look in the KDC log, it will show the violating requests.

root@embassy # cat krb5kdc.log |grep -i 'server not found'
Jul 26 14:56:04 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database
Jul 26 14:56:45 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database
Jul 26 14:56:45 embassy krb5kdc[7482](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) XX.XX.XX.XX: UNKNOWN_SERVER:
 authtime 1153950097, menionus@ASYLUMWARE.COM for host/test.asylumware.com@ASYLUMWARE.COM, Server not found in Kerberos database

Here is the hack to avoid the problem.

198.145.247.218 embassy.asylumware.com testserver.myplace.com otherserver.myplace.com

Problem Solved. =)


Comments


Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More