[clug] Kerberos through an SSH tunnel

David Schoen neerolyte at gmail.com
Tue Mar 8 03:51:55 MST 2011

On 8 March 2011 17:06, Daniel Rose <drose at dtlm.homelinux.net> wrote:
> Suppose Kerberos works fine for
> http://server.example.com/path/script.cgi on a network.
> If you:
> ssh localhost -L4545:server.example.com:80
> Then visit
> http://localhost:4545/path/script.cgi

I'm a bit hazy on this because it's a long time since I played with it
and I never got past prototyping it for a client...

In the set up we had the domain trail (e.g. .example.com) needed to
match for both the client, the server and the up stream AD (we were
using AD, I have no idea what happens with other kerberos

So you'd need to have something like:
 - adesktop.example.com
 - ADserver.example.com
 - webserver.example.com

for everything to "play nice".

The issue we had was with the webserver and the AD server being on
different domain trails and no one knowing enough about domain trusts
to be confident it was a worthwhile avenue of research (the whole
thing got canned :( ).

Anyway, I think your issue might be simpler. Your browser is probably
sending a header line of "Host: localhost:4545" when in fact the
server wants to see "Host: service.example.com".

I'd suggest trying to ssh with "-L 80:server.example.com:80" so that
the remote server is available on your machine on port 80 and adding a
line to your hosts file of " server.example.com".

I'm not at all confident this will work or even help, but hopefully
it's providing some food for thought.

- dave

More information about the linux mailing list