Kerberose, get ticket using ssh tunneling

Question

So I have to kinit as certain principal locally using his keytab.

Since the Kerberose kdc on remote server, which I reach with on vpn, I need to use ssh to access the server, and thus make tunneling to the service.

For this I did the following:

1. Copied the krb5.conf from the remote server and replaced the local with it
2. Copied the keytab of my interest

3. Since I need access to the service:

   ssh -L1088:localhost:88 -L10749:localhost:749 remote_server
   

4. Changed the local file krb5.conf to

   admin_server = localhost:10749
   kdc = localhost:1088
   

But when I try to kinit

KRB5_TRACE=/dev/stdout kinit -kt ${PRINCIPAL_KEYTAB}.keytab ${PRINCIPAL_NAME}
[12332] 1504171391.121253: Getting initial credentials for ${PRINCIPAL_NAME}
[12332] 1504171391.123940: Looked up etypes in keytab: des, des-cbc-crc, aes128-cts, rc4-hmac, aes256-cts, des3-cbc-sha1                                                                                                                
[12332] 1504171391.124027: Sending request (227 bytes) to ${DOMAIN}                                  
[12332] 1504171391.124613: Resolving hostname localhost                                                             
[12332] 1504171391.124988: Sending initial UDP request to dgram ::1:1088                                            
[12332] 1504171391.125070: Sending initial UDP request to dgram 127.0.0.1:1088                                      
[12332] 1504171391.125120: Initiating TCP connection to stream ::1:1088                                             
[12332] 1504171391.125165: Terminating TCP connection to stream ::1:1088                                            
[12332] 1504171391.125186: Initiating TCP connection to stream 127.0.0.1:1088                                       
[12332] 1504171391.125216: Terminating TCP connection to stream 127.0.0.1:1088                                      
kinit: Cannot contact any KDC for realm '${DOMAIN}' while getting initial credentials

5. I retried by adding ssh -vvv and got

   debug1: Connection to port 1088 forwarding to localhost port 88 requested.
   debug2: fd 15 setting TCP_NODELAY
   debug2: fd 15 setting O_NONBLOCK
   debug3: fd 15 is O_NONBLOCK
   debug1: channel 7: new [direct-tcpip]
   debug3: send packet: type 90
   debug1: Connection to port 1088 forwarding to localhost port 88 requested.
   debug2: fd 16 setting TCP_NODELAY
   debug2: fd 16 setting O_NONBLOCK
   debug3: fd 16 is O_NONBLOCK
   debug1: channel 8: new [direct-tcpip]
   debug3: send packet: type 90
   

I tried to tcpdump, and locally there are tries to connect, but cannot find any packages received to the other site.

I edit out all other information in the krb5.conf.

What I am missing here or is this possible at all?

PS: netstat says the ports are existing and opened on both machines. I have no problem to kinit on the server itself.

PSS: From what I see the kdc is actually listening at port udp 88 not tcp, could this be a problem?

Answer 1

Instead of having to tunnel UDP traffic as well, you could force kerberos to only use tcp as following:

[realms]
 MY.REALM = {
  kdc = tcp/localhost:1088
  master_kdc = tcp/localhost:1088
  admin_server = tcp/localhost:1749
 }

And now setup your tcp/ssh tunnel as before:

ssh -L1088:kdc.server:88 -L1749:kdc.server:749 ssh.hop

Answer 2

I resolved it after all by using socat and ssh as follows, and several tutorials:

We are receiving udp packages to 1088, but ssh tunnels only tcp, so with socat we can "transform" them:

locally$ socat -T15 udp4-recvfrom:1088,reuseaddr,fork tcp:localhost:1089

Now we create ssh tunnel of that port to the remote server by

locally$ ssh -L1089:localhost:1089 remote_server

After that we transform the tcp packages arriving at 1089 to udp and redirect them to the kdc at port 88 vie

server$ socat tcp4-listen:1088,reuseaddr,fork UDP:localhost:88