SSH with Kerberos 5 GSSAPI

Someone please at nospam.net
Fri Mar 22 06:44:28 EST 2002


Srinivas Cheruku wrote:

> Default configuration should work properly. Otherwise you can add the below
> lines in your sshd configuration file
> 
> GssapiAuthentication yes
> GssapiKeyExchange yes
> GssapiUseSessionCredCache yes
> 
> Also start the client session in the verbose mode and see what is happening
> by giving
> $ ssh -v hostname
> 
> Also you can check on the KDC log whether it has issued a forwarded TGT.
> 



I have added those lines to sshd_config but it didn't help, here is the 
output of the ssh client:

 > ssh -v hostname
OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be 
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid XXXX geteuid 0 anon 1
debug1: Connecting to tonostix [X.X.X.X] port 22.
debug1: temporarily_use_uid: XXXX/XXXX (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: XXXX/XXXX (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version 
OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
debug1: Miscellaneous failure
debug1: Server not found in Kerberos database
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1558/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'hostname' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts2:104
debug1: bits set: 1569/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is external-keyx
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is gssapi
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/username/.ssh/identity
debug1: try privkey: /home/username/.ssh/id_rsa
debug1: try privkey: /home/username/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: 
external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: next auth method to try is password
username at hostname's password:
debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Fri Mar 22 12:38:15 2002 from hostname.domain.com
Linux 2.4.5.


Output of kinit:

 > kinit
Password for username at REALM:
kinit(v5): No credentials cache found when initializing cache


Output of klist:

 > klist
klist: No credentials cache found (ticket cache FILE:)


Kerberos 4 ticket cache: /tmp/tktXXXX
klist: You have no tickets cached


Any ideas ?






More information about the Kerberos mailing list