Forwarding Kerberos Credentials - SSH

Parag Godkar paragg at
Tue Jun 17 05:58:08 EDT 2003


We have a setup of few Red Hat linux servers authenticating
against the windows 2000 advanced server KDC.

Our people ssh to the linux servers and obtain kerberos
credentials from the Win2k KDC. I have observed that the
credentials obtained are forwardable by issuing the command -

      klist -af

and noting the flags (Flags: FPRIA). However, when they ssh 
to another linux server from the already connected ssh session, 
the credentials do not get forwarded, instead they are again 
prompted for a password.

The openssh server and client on all the linux servers is the 
default "rpm-based" install.

I have the following two questions -

1. Do I have to  compile openssh on all the  linux servers after
    applying Simon Wilkinson's gss-api patch from -

2. When I tried to compile openssh-3.6.1p2 after applying the gss-api
    patch on a rhlinux 9 test server, I got the following warning on running 
    configure ( ./configure --with-kerberos5=/usr/kerberos ) script -

checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... yes
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... yes
configure: WARNING: gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi_krb5.h: check for missing prerequisite headers?
configure: WARNING: gssapi_krb5.h: proceeding with the preprocessor's result
configure: WARNING:     ## ------------------------------------ ##
configure: WARNING:     ## Report this to bug-autoconf at ##
configure: WARNING:     ## ------------------------------------ ##
checking for gssapi_krb5.h... yes

Running "make" and "make install" does not give any errors.
However using the newly compiled ssh server, I am not able to login 
using kerberos credentials. Local users on the server are however
able to login using shadow passwords.

The following kerberos rpms are installed on the rhlinux 9 test server 


Can someone help please.

Parag Godkar

More information about the Kerberos mailing list