OpenSSH and Kerberos Questions

Douglas E. Engert deengert at
Tue Nov 16 16:07:03 EST 2004

Joe Odenweller wrote:
> I am attempting to put together an implementation of Kerberos 5 and
> OpenSSH 3.8.1p1 and have question as wether I am doing it correctly.
> My first step was getting Kerberos 5 operational on all the systems
> involved and setting up integrated logins.  Credentials are created
> for host/<hostname>@<REALMNAME>, and <username>@<REALMNAME>.  For the
> affected accounts this allow me to keep login passwords in Kerberos
> and once logged in the system has already done a kinit <username>.
> My next step is to install OpenSSH 3.8.1p1 (IBM distribution) and set
> parameters:
> /etc/ssh/ssh_config: (on source/client)
> host *
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> /etc/ssh/sshd_config: (on target/server)
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes

For now leave this list line off so you can see if any
credentials where delegated.

> At this point I do not have forwardable credentials.  I can
> successfully ssh from source to target but a klist on the target shows
> no credentials. 

But did ssh really use the gssapi? On the client after you log off
do a klist to see if the host/server at realm ticket was obtained.

> Next, back on the source/client I redo my kinit with
> -f.  I then do a ssh to the server/target.  The session setup appears
> nearly complete (observed via -vvv and -ddd ) when the session is torn
> down.

Do you have any output? It should have worked. Did the server side
have the message "Received some client credeltials" or did
it say "Got no client credentials" i.e. where tickets forwarded.

> My question, have I missed any setting?

Only that you said it was IBMs implementation.Are they
doing anything strange? It is their KDC? are there any extra
flags set on the user or server principals? Like ok-to-delegate?
Is the server's host name registered in DNS correctly?

> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list