problem setting up ssh-krb5 from Debian Sarge

Wes Chow wes at woahnelly.net
Sat Oct 30 01:17:20 EDT 2004


> Well, check your /etc/hosts file.  I believe that Debian puts the 
> hostname on the 127.0.0.1 line.  This is not good.

Yeah I saw other postings about that, so I fixed it...

> You have libpam-openafs-session installed.  Are you using it as a 
> session module also?
> session    required     pam_openafs_session.so

I tried putting that line in /etc/pam.d/common-session and now I'm
getting this in auth.log:

Oct 30 01:09:18 jack sshd[529]: Authorized to wchow, krb5 principal
wchow at D2702.
ATHENACR.COM (krb5_kuserok)
Oct 30 01:09:18 jack sshd[529]: pam_openafs-krb5: open_session: Could
not find K
erberos tickets; not running aklog
Oct 30 01:09:18 jack sshd[529]: (pam_unix) session opened for user
wchow by (uid
=0)
Oct 30 01:09:18 jack sshd[529]: Accepted gssapi for wchow from
192.168.0.16 port
 33003 ssh2
 

> Please show output from klist -f:

>From the client:

wchow at hippo:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_p18325
Default principal: wchow at D2702.ATHENACR.COM

Valid starting     Expires            Service principal
10/30/04 01:03:26  10/30/04 11:03:25
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
        Flags: FPI
	10/30/04 01:03:28  10/30/04 11:03:25
afs/d2702.athenacr.com at D2702.ATHENACR.COM
        Flags: FPT
	10/30/04 01:03:32  10/30/04 11:03:25
host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
        Flags: FPT
	
	
	Kerberos 4 ticket cache: /tmp/tkt1000
	klist: You have no tickets cached
	

>From the remove host after sshing in:

wchow at jack:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000_snx537
Default principal: wchow at D2702.ATHENACR.COM

Valid starting     Expires            Service principal
10/30/04 01:13:42  10/30/04 11:03:25
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
        Flags: FfPT
	
	
	Kerberos 4 ticket cache: /tmp/tkt1000
	klist: You have no tickets cached
	

No AFS tokens acquired :(

Thanks,
Wes

-- 
http://www.woahnelly.net/~wes/          OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644


More information about the Kerberos mailing list