Forwarding Kerberos Credentials - SSH

Donn Cave donn at
Thu Jun 19 13:22:50 EDT 2003

In article <m38yry4gge.fsf at>,
 Frank Cusack <fcusack at> wrote:
> Wow.  Lots of info. :-)  I'll quote it all, since it's so involved that
> it will be useful to have a complete reference in a single message.

Good - so, folks who want that complete reference:  you know where to go!

> No.  Only if you want to use ssh protocol 2.  ahhh... this is the problem.
> By default, ssh will select protocol 2.  Which doesn't support krb5.  So
> you must tell it to use protocol 1, and probably must tell the server
> to do krb5 (probably sshd_config on the server doesn't accept krb5 by
> default).

I found this all a little confusing, and I'm sure there are people
here who know more about the GSSAPI OpenSSH patch, but in case it
helps ...  The way I read it, he applied this patch with the expectation
that it provides Kerberos support for protocol 2, and that is true -
it should.  Only between patched OpenSSH servers and clients, because
unfortunately it doesn't interoperate with the approach to
Kerberos 5 for protocol 2.  I agree that ssh -v ought to help narrow
down the problem.  It might be worth trying some other Kerberos 5
application - I believe we're talking about Redhat Linux here, where
the telnet and ftp applications should support Kerberos 5.

Secondly I think the term "forwarding" doesn't apply to the scenarios
I'm reading about here.  If you log in to sshd with your Kerberos
password, the remote credentials acquired in the process are actually
local in this sense - they reside on the host that acquired them, as
sshd did that.  When used to authenticate to some service from there,
that's just simple basic Kerberos authentication, no forwarding needed.

   Donn Cave, donn at

More information about the Kerberos mailing list