Single sign-on with ssh (only unix)

Nathan Ollerenshaw nathan at valuecommerce.co.jp
Thu Jun 2 23:26:02 EDT 2005


Hi again folks!

I eventually got it working partially, but I have a question.

serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome at VALUECOMMERCE.COM

Valid Starting     Expires            Service Principal
06/03/05 11:56:31  06/03/05 21:56:29  krbtgt/ 
VALUECOMMERCE.COM at VALUECOMMERCE.COM
         renew until 06/03/05 11:56:31, FPRI
06/03/05 11:56:37  06/03/05 21:56:29  host/ 
monster.sys.intra at VALUECOMMERCE.COM
         renew until 06/03/05 11:56:31, FPRT
06/03/05 11:56:43  06/03/05 21:56:29  host/ 
nuts.sys.intra at VALUECOMMERCE.COM
         renew until 06/03/05 11:56:31, FPRT

klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun  3 12:22:46 2005 from nuts.sys.intra
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun  3 12:22:40 2005 from monster.sys.intra
[chrome at nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun  3 12:23:21 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Permission denied (gssapi-with-mic).
[chrome at monster.sys.intra ~]$

That should work, right? I should be able to go workstation ->  
monster -> nuts -> monster -> nuts -> monster -> etc

right?

serenity:~ chrome$ kinit -f
Please enter the password for chrome at VALUECOMMERCE.COM:
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome at VALUECOMMERCE.COM

Valid Starting     Expires            Service Principal
06/03/05 12:24:57  06/03/05 22:24:54  krbtgt/ 
VALUECOMMERCE.COM at VALUECOMMERCE.COM
         renew until 06/03/05 12:24:57, FPRI

klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun  3 12:24:39 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500_wG5550
Default principal: chrome at VALUECOMMERCE.COM

Valid starting     Expires            Service principal
06/03/05 12:25:17  06/03/05 22:24:54  krbtgt/ 
VALUECOMMERCE.COM at VALUECOMMERCE.COM
         renew until 06/03/05 12:24:57, Flags: FfPRT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun  3 12:23:24 2005 from monster.sys.intra
[chrome at nuts.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: chrome at VALUECOMMERCE.COM

Valid starting     Expires            Service principal
06/03/05 11:39:57  06/04/05 11:39:57  krbtgt/ 
VALUECOMMERCE.COM at VALUECOMMERCE.COM
         renew until 06/03/05 11:39:57, Flags: FRI
06/03/05 11:40:03  06/04/05 11:39:57  host/ 
monster.sys.intra at VALUECOMMERCE.COM
         renew until 06/03/05 11:39:57, Flags: FRT


Kerberos 4 ticket cache: /tmp/tkt5002
klist: You have no tickets cached
[chrome at nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun  3 12:25:17 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome at monster.sys.intra ~]$

It seems that after a few hops, i lose the ticket forwarding?

Regards,

Nathan.

-- 
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:nathan at valuecommerce.co.jp

  "The man who carries a cat by the tail learns something
  that can be learned in no other way." - Mark Twain




More information about the Kerberos mailing list