Forwarding Kerberos Credentials - SSH

[Donn Cave]

In article <00a501c3393f$b366fda0$ad978dca at CDACMUMBAI.CDACINDIA.COM>,
 paragg at konark.ncst.ernet.in ("Parag Godkar") wrote:
...
> 9. Now from this telnet/ssh session, I would like the users to
>    telnet/ssh to another linux server (or to the same server) 
>    in the same kerberos domain WITHOUT BEING PROMPTED FOR A 
>    PASSWORD.
> 
>    NOW THIS IS WHAT I WANT TO KNOW IF IT IS 
>    PRACTICABLE OR I AM TRYING TO DO SOMETHING
>    IMPOSSIBLE?

Yes!  It is possible, and everything up to here leads me to
expect it will work.

But as another followup has already pointed out, the server
apparently has no service key - from the server diagnostics,
>  Miscellaneous failure No principal in keytab matches desired name

Someone needs to create a principal host/x.y.z and add its key
to /etc/krb5.keytab on x.y.z (the remote host.)

Remember when testing the client, you must do that as the user
who logged in and has the credentials -- don't do it as root.


> 3. I have the following relevant lines in my sshd_config -
> 
>    #RSAAuthentication yes
>    #PubkeyAuthentication yes
>    #AuthorizedKeysFile     .ssh/authorized_keys
>    #PasswordAuthentication yes
>    #PermitEmptyPasswords no
>    #ChallengeResponseAuthentication yes
>    KerberosAuthentication yes
>    #KerberosOrLocalPasswd yes
>    #KerberosTicketCleanup yes
>    GssapiAuthentication yes
>    GssapiKeyExchange yes
>    GssapiUseSessionCredCache yes
>    #AFSTokenPassing no
>    #KerberosTgtPassing no
>    #PAMAuthenticationViaKbdInt no
> 
>    and the following relevant lines in my ssh_config -
> 
>    # Host *
>    #   ForwardAgent no
>    #   ForwardX11 no
>    #   PasswordAuthentication yes
>    GssapiAuthentication yes
>    GSSAPIDelegateCredentials yes

"KerberosAuthentication yes" alone, in both, should be enough,
something you can easily try if you have further difficulties.

   Donn Cave, donn at u.washington.edu