I've setup Ubuntu for testing purposes. -Installed MIT kerberos (latest) -Installed OpeenSsh(latest)
I've setup and have working both KerberosAuthentication and pam_krb5 types of authentication as well as GSSAPIAuthentication. All is well there.
When I setup only to use "KerberosAuthentication" or "pam_krb5" I see requests for host/:
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM, Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM, Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for krbtgt/HELLO.COM@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for host/sshserver@HELLO.COM
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, user@HELLO.COM for host/sshserver@HELLO.COM
Is the host/ service principal needed for something (TGS_REQ)?
In my mind all you need is AS_REQ to validate the user's password.