kerberos V with SSH : password reasked
me at privacy.net
Thu Feb 10 21:09:30 EST 2005
On Wed, 02 Feb 2005 15:05:12 -0800, nat wrote:
> I'm installing kerberos on a debian distrib (current sarge), the
> installation looks good, ticket are correctly created when a user ask for
> a connection :
> Ticket cache: FILE:/tmp/[...]
> Default principal: [...]@[DOMAIN]
> Valid starting Expires Service principal 02/02/05 22:12:46
> 02/03/05 08:12:45 krbtgt/[DOMAIN]@[DOMAIN]
> Kerberos 4 ticket cache: /tmp/[...]
> klist: You have no tickets cached
> But after if he does a ssh on the machine, the kerberos password is
> I don't know what I sould do to correct this problem. Can so help me ? I'm
> a totaly lost in krb5.
I was having a similar problem today. Debian Sarge at both ends of the SSH
connection and a Windows 2003 KDC (SBS).
I'd got PAM configured properly and could log on to Debian and get
tickets, but SSH always fell back to keyboard-interactive. Entering the
password again got me in successfully though. When using debug level
3 it seemed the SSH client tried GSSAPI first but didn't seem to get a
I had set up the /etc/krn5.keytab file properly too according to the
O'Reilly Kerberos book by Jason Garman.
I then installed the kerberised telnet packages from Debian just to see
whether I could get them going instead.
Telnet complained about not being able to canonicalise the addresses or
something which gave me a clue.
I had just been (during the initial testing) using the hosts files on the
two Linux machines for name resolution. The KDC couldn't resolve the
hostnames though. Once I had stuck some records for the Debain machines in
the DNS it all worked.
More information about the Kerberos