Forwarding Kerberos Credentials - SSH

Frank Cusack fcusack at
Thu Jun 19 04:30:41 EDT 2003

On Tue, 17 Jun 2003 13:26:47 +0000 (UTC) paragg at ("Parag Godkar") wrote:
>> > 1. Do I have to  compile openssh on all the  linux servers after
>> >     applying Simon Wilkinson's gss-api patch from -
>> >
>> Yes, if you want to use protocol 2.  If you use protocol 1, you don't
>> need the patches.  I highly recommend protocol 2 for Kerberos use.
>> You haven't described your setup well enough to get any help.  (Other
>> than the above 2 questions, however you got them both right.)  Most
>> importantly, you haven't described whether krb5 works at all.
>> Try /usr/kerberos/bin/telnet on your Linux machine and see if that works.
>> If not, the problem is in your krb5 setup, not openssh.
> Thanks, Frank for the reply.
> I am elaborating a bit, as requested by you
> so that I make myself more clear -

Wow.  Lots of info. :-)  I'll quote it all, since it's so involved that
it will be useful to have a complete reference in a single message.

> 1) I have a rhlinux 9 test server configured as a kerberos client to the
>     Windows 2000 KDC. (I know it is properly configured as we are using
>     the same setup on our production servers for the past one year, only
> that
>     we have never been able to forward kerberos credentials.)
> 2) I have the following krb5 and openssh "rpms" installed on this rhlinux 9
> test server -
> krb5-server-1.2.7-10
> krb5-workstation-1.2.7-10
> krb5-libs-1.2.7-10
> krb5-devel-1.2.7-10
> pam_krb5-1.60-1
> openssh-3.5p1-6
> openssh-server-3.5p1-6
> openssh-clients-3.5p1-6
> 3) I am using SSH Secure Shell from to connect to this  rhlinux
> 9
> test server from a windows client.
> 4) I am able to ssh to this linux test server using "SSH Secure Shell" from
> a windows
> client using my kerberos password. I am able to get kerberos credentials
> which I can
> verify by issuing the command -   "klist -5af"   which gives this result -
> -------------------------------------------------------------------------
>  Ticket cache: FILE:/tmp/krb5cc_1002_CBmkCB
> Default principal: paragg at TEST.NCST.ERNET.IN
> Valid starting     Expires            Service principal
> 06/17/03 17:40:01  06/18/03 03:40:01
>         renew until 06/18/03 03:40:01, Flags: FPRIA
>         Addresses:
> ----------------------------------------------------------------------------
> -
> 5) But when I ssh  to another linux server in the
> same kerberos domain from the already connected ssh session,
> the credentials do not get forwarded, instead I am again prompted for a
> password.

Need to see debug info to figure out what's wrong ... run sshd -d -p 222
on the server and ssh -v -p 222 on the client

> 6) I am able to login to that another linux server by providing the kerberos
> password
> again and I get another set of kerberos credentials which I have verified.
> I draw the following conclusions from these -
>     1. krb5 is working fine.
>     2. ssh with rpm install is also working fine as I get the kerberos
>         credentials only that I am not able to forward them.

yes and yes, but why can't you forward them?  The F flag is present?  I
guess you just mean, forwarding them via ssh doesn't seem to work.

>     3. I must compile openssh with gss-api patch to enable forwarding of
>         kerberos credentials obtained from Win2k KDC.

No.  Only if you want to use ssh protocol 2.  ahhh... this is the problem.
By default, ssh will select protocol 2.  Which doesn't support krb5.  So
you must tell it to use protocol 1, and probably must tell the server
to do krb5 (probably sshd_config on the server doesn't accept krb5 by

Try ssh -1 -v server and see what you get.

> 7) So now I compile openssh-3.6.1p2 after applying the gss-api
>     patch on the rhlinux 9 test server and install it in /usr/local
>     as follows -
>        ./configure --with-kerberos5=/usr/kerberos
>         autoreconf
>         make
>         make install
> 8) I stop the stop the "sshd" daemon from /etc/init.d and start the newly
> compiled
>     daemon - /usr/local/sbin/sshd & .
> 9) Now it doesn't seem to work as I am not able to ssh to the linux
>     test server using my kerberos password but I am able to ssh using
>     local shadow password.

That's because you didn't provide the correct configure flags.  You at
least want --with-pam.  Look at the openssh src rpm from RedHat and use
their same configure flags.

> I draw the following conclusions from these -
>     1. Newly compiled ssh is working fine as normal ssh logins work.
>     2. But, it has not been properly kerberized as kerberos logins fail.
>         That is just why I thought that the warning messages I received
>         during configure are the cause for this mal-behaviour, but you
>         say it is normal.

The RH one is not kerberized either, in that sense (for password lookup).
It uses PAM, which in your patched version, you did not enable.

> Now I have the following questions -
> 1. Is forwarding of Kerberos Credentials for a Win2k KDC not possible
>     with an "rpm" install of openssh and I must compile openssh with gss-api
> patch
>     in order to support forwarding ?

I don't know if this actually works or not.  You'll be able to tell from
the debug info I mentioned above what's going on.  (If you can't, post
the info and I or someone else here can help look through it.)

> 2. If I must compile, then what is wrong with my compilation as it doesn't
> work for kerberos ?

see above.

> 3. I think I am using SSH 2 as the "SSH Secure Shell" client prompts me if I
> am
>     using SSH1 which is true in case of one of our old solaris server.

ahh. so my guess above is correct; yes you are using ssh2.

>     Do you mean that by using "rpm" install of openssh, I will be using SSH1
>     and I need to compile openssh with gss-api patch inorder to use SSH2?

No, with the rpm install you'll still be using ssh2 unless you force it
with ssh -1.

My guess is that the ssh1 will work for you once you get the server config
setup correctly.  But you should continue to work on the GSSAPI method
with ssh2.


More information about the Kerberos mailing list