Forwarding Kerberos Credentials - SSH

Douglas E. Engert deengert at
Thu Jun 19 14:21:36 EDT 2003

Parag needs to provide a little more information. 

We are running OpenSSH-3.6.1p2 with Simon's patch. Works great. 

Do a klist -f before and after on the client to see the tickets.
On the new ssh session to the first host, also do echo $KRB5CCNAME and 
klist -f to see if you did get a forwarded ticket. 

Start a test version of the sshd -p 2222 -d -d -d on the server 
then on the client  do a ssh -p 2222 -v -v -v so as to get the traces
on both ends. 

On the server, also do a ls -l /tmp/krb5* and see if a new cache was created
with the forwarded ticket. It could be the env is not being set. 

If you have access to the KDC, look at the syslog to see tickets being issued.
You should see an additional TGT being issued, which will be forwarded.  

Does the sshd_config have:
GssapiAuthentication yes
I think this is the default, but you can try it. 

Donn Cave wrote:
> In article <m38yry4gge.fsf at>,
>  Frank Cusack <fcusack at> wrote:
> > Wow.  Lots of info. :-)  I'll quote it all, since it's so involved that
> > it will be useful to have a complete reference in a single message.
> Good - so, folks who want that complete reference:  you know where to go!
> > No.  Only if you want to use ssh protocol 2.  ahhh... this is the problem.
> > By default, ssh will select protocol 2.  Which doesn't support krb5.  So
> > you must tell it to use protocol 1, and probably must tell the server
> > to do krb5 (probably sshd_config on the server doesn't accept krb5 by
> > default).
> I found this all a little confusing, and I'm sure there are people
> here who know more about the GSSAPI OpenSSH patch, but in case it
> helps ...  The way I read it, he applied this patch with the expectation
> that it provides Kerberos support for protocol 2, and that is true -
> it should.  Only between patched OpenSSH servers and clients, because
> unfortunately it doesn't interoperate with the approach to
> Kerberos 5 for protocol 2.  I agree that ssh -v ought to help narrow
> down the problem.  It might be worth trying some other Kerberos 5
> application - I believe we're talking about Redhat Linux here, where
> the telnet and ftp applications should support Kerberos 5.
> Secondly I think the term "forwarding" doesn't apply to the scenarios
> I'm reading about here.  If you log in to sshd with your Kerberos
> password, the remote credentials acquired in the process are actually
> local in this sense - they reside on the host that acquired them, as
> sshd did that.  When used to authenticate to some service from there,
> that's just simple basic Kerberos authentication, no forwarding needed.
>    Donn Cave, donn at
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list