documentation for ssh/gssapi auth anywhere?

[paul]

Hi list,

posted this earlier to c.s.ssh but got no response at all, so I hope I 
will have more luck here. Please tell me if this is OT and if so where 
to ask. Thanks


--------------------------------------------------------------------------

I'm searching for documentation in order to authenticate ssh users
against my kerberos database. The configuration directives in
sshd_config and various postings on the net indicate, that this is
possible via GSSAPI, but neither the manpage of sshd nor that of
sshd_config seems to cover the subject. I searched openssh.org, the net
and google groups for info but couldn't come up with something useful.

I think I have a basic understanding how kerberos works and how to setup
services to use it, (I actually set up successfully openldap with
SASL-GSSAPI so the kerberos stuff should be working). As I couldn't find
any documentation, I did the setup as follows:

1. compiled openssh-3.7.1_p2 with kerberos support. (ldd told me ;)
2. created a service principal ssh/host.tld at REALM (tried with
sshd/host.tld at REALM but no luck either)
3. exported that principal to a keytab, readable by sshd
4. set KRB5_KTNAME to point to the keytab.
5. started sshd -ddd
--------------------------------------------
ssh'ing from the client to the server gives:

debug3: preferred gssapi, publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi
debug3: Next authentication method: gssapi
debug2: we sent a gssapi packet, wait for reply
...
...
debug2: we did not sent a packet, disable method
debug3: authmethod_lookup publickey
...
then it goes further to normal password based auth.

--------------------------------------------
On the server, I got the error:

debug1: Miscellaneous failure
No principal in keytab matches desired name

I'm stuck here, what is the "desired name"?
FYI, I did not get a service ticket and sshd does not raise an error
when the TGT is expired. Does anyone know where all this is documented?

thanks
  Paul