kerberos V with SSH : password reasked

[AD.]

On Wed, 02 Feb 2005 15:05:12 -0800, nat wrote:

> I'm installing kerberos on a debian distrib (current sarge), the
> installation looks good, ticket are correctly created when a user ask for
> a connection :
> 
> Ticket cache: FILE:/tmp/[...]
> Default principal: [...]@[DOMAIN]
> 
> Valid starting     Expires            Service principal 02/02/05 22:12:46 
> 02/03/05 08:12:45  krbtgt/[DOMAIN]@[DOMAIN]
> 
> Kerberos 4 ticket cache: /tmp/[...]
> klist: You have no tickets cached
> 
> 
> But after if he does a ssh on the machine, the kerberos password is
> aked...
> 
> I don't know what I sould do to correct this problem. Can so help me ? I'm
> a totaly lost in krb5.

I was having a similar problem today. Debian Sarge at both ends of the SSH
connection and a Windows 2003 KDC (SBS).

I'd got PAM configured properly and could log on to Debian and get
tickets, but SSH always fell back to keyboard-interactive. Entering the
password again got me in successfully though. When using debug level
3 it seemed the SSH client tried GSSAPI first but didn't seem to get a
response.

I had set up the /etc/krn5.keytab file properly too according to the
O'Reilly Kerberos book by Jason Garman.

I then installed the kerberised telnet packages from Debian just to see
whether I could get them going instead.

Telnet complained about not being able to canonicalise the addresses or
something which gave me a clue.

I had just been (during the initial testing) using the hosts files on the
two Linux machines for name resolution. The KDC couldn't resolve the
hostnames though. Once I had stuck some records for the Debain machines in
the DNS it all worked.

-- 
Cheers
Anton