OpenSSH and Kerberos Questions

Joe Odenweller joe_odenweller at
Tue Nov 16 10:26:38 EST 2004

I am attempting to put together an implementation of Kerberos 5 and
OpenSSH 3.8.1p1 and have question as wether I am doing it correctly.

My first step was getting Kerberos 5 operational on all the systems
involved and setting up integrated logins.  Credentials are created
for host/<hostname>@<REALMNAME>, and <username>@<REALMNAME>.  For the
affected accounts this allow me to keep login passwords in Kerberos
and once logged in the system has already done a kinit <username>.

My next step is to install OpenSSH 3.8.1p1 (IBM distribution) and set

/etc/ssh/ssh_config: (on source/client)
host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

/etc/ssh/sshd_config: (on target/server)
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

At this point I do not have forwardable credentials.  I can
successfully ssh from source to target but a klist on the target shows
no credentials.  Next, back on the source/client I redo my kinit with
-f.  I then do a ssh to the server/target.  The session setup appears
nearly complete (observed via -vvv and -ddd ) when the session is torn

My question, have I missed any setting?

More information about the Kerberos mailing list