0

I've setup Ubuntu for testing purposes. -Installed MIT kerberos (latest) -Installed OpeenSsh(latest)

I've setup and have working both KerberosAuthentication and pam_krb5 types of authentication as well as GSSAPIAuthentication. All is well there.

When I setup only to use "KerberosAuthentication" or "pam_krb5" I see requests for host/:

Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM, Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM, Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for host/sshserver@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for host/sshserver@HELLO.COM

Is the host/ service principal needed for something (TGS_REQ)?

In my mind all you need is AS_REQ to validate the user's password.

jouell
  • 601
  • 1
  • 5
  • 20

1 Answers1

0

It's to prevent man in the middle attacks against the KDC.

I found the answer in Google Books:

Pg 108/109 of kerberos the definitive guide seems authoritative.

I will delay in accepting this as an answer. There should be more of a write up here and my intent was not to self promote and copy/pasting more than a sentence or so seems inappropriate.

jouell
  • 601
  • 1
  • 5
  • 20