SSH with Kerberos 5 GSSAPI

Srinivas Cheruku csri at sonata-software.com
Fri Mar 22 06:24:56 EST 2002


Default configuration should work properly. Otherwise you can add the below
lines in your sshd configuration file

GssapiAuthentication yes
GssapiKeyExchange yes
GssapiUseSessionCredCache yes

Also start the client session in the verbose mode and see what is happening
by giving
$ ssh -v hostname

Also you can check on the KDC log whether it has issued a forwarded TGT.



-----Original Message-----
From: Someone [mailto:please at nospam.net]
Sent: Friday, March 22, 2002 4:30 PM
To: kerberos at mit.edu
Subject: Re: SSH with Kerberos 5 GSSAPI


Srinivas Cheruku wrote:

> did you get a forwardable tgt before running the ssh client?
> Get the forwardable TGT, then only your identity can be delegated the
> session opened by ssh client.
> 
> 
> -----Original Message-----
> From: Someone [mailto:please at nospam.net]
> Sent: Friday, March 22, 2002 3:56 PM
> To: kerberos at mit.edu
> Subject: SSH with Kerberos 5 GSSAPI
> 
> 
> Hello,
> 
> I just compiled SSH v3.0.2p1 with the GSSAPI patch included. It works 
> fine, well I get my password authenticated by the KDC but I have 
> remarked that I didn't get any tickets, is that normal ? Or maybe I have 
> to to myself a kinit after the login with ssh ?
> 
> The problem is that when I do kinit to get my ticket i get the following 
> error:
> 
>  > kinit
> Password for username at REALM:
> kinit(v5): No credentials cache found when initializing cache
> 
> What does that mean ? I am using Linux with MIT Kerberos 5 v 1.2.3.
> 
> Thanks for the help
> Regards
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> *********************************************************************
> Disclaimer: The information in this e-mail and any attachments is
> confidential / privileged. It is intended solely for the addressee or
> addressees. If you are not the addressee indicated in this message, you
may
> not copy or deliver this message to anyone. In such case, you should
destroy
> this message and kindly notify the sender by reply email. Please advise
> immediately if you or your employer does not consent to Internet email for
> messages of this kind.
> *********************************************************************
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

Your right I didn't have a ticket before so what I did is a kinit -f and 
then just sshed on the same machine that I am already. I tryed klist 
after but still the same result, nothing. Do I need to activate some 
options in sshd_config maybe ?

Regards

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************



More information about the Kerberos mailing list