Single sign-on with ssh (only unix)
Nathan Ollerenshaw
nathan at valuecommerce.co.jp
Thu Jun 2 23:26:02 EDT 2005
Hi again folks!
I eventually got it working partially, but I have a question.
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome at VALUECOMMERCE.COM
Valid Starting Expires Service Principal
06/03/05 11:56:31 06/03/05 21:56:29 krbtgt/
VALUECOMMERCE.COM at VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRI
06/03/05 11:56:37 06/03/05 21:56:29 host/
monster.sys.intra at VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRT
06/03/05 11:56:43 06/03/05 21:56:29 host/
nuts.sys.intra at VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRT
klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun 3 12:22:46 2005 from nuts.sys.intra
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun 3 12:22:40 2005 from monster.sys.intra
[chrome at nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun 3 12:23:21 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Permission denied (gssapi-with-mic).
[chrome at monster.sys.intra ~]$
That should work, right? I should be able to go workstation ->
monster -> nuts -> monster -> nuts -> monster -> etc
right?
serenity:~ chrome$ kinit -f
Please enter the password for chrome at VALUECOMMERCE.COM:
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome at VALUECOMMERCE.COM
Valid Starting Expires Service Principal
06/03/05 12:24:57 06/03/05 22:24:54 krbtgt/
VALUECOMMERCE.COM at VALUECOMMERCE.COM
renew until 06/03/05 12:24:57, FPRI
klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun 3 12:24:39 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500_wG5550
Default principal: chrome at VALUECOMMERCE.COM
Valid starting Expires Service principal
06/03/05 12:25:17 06/03/05 22:24:54 krbtgt/
VALUECOMMERCE.COM at VALUECOMMERCE.COM
renew until 06/03/05 12:24:57, Flags: FfPRT
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome at monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun 3 12:23:24 2005 from monster.sys.intra
[chrome at nuts.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: chrome at VALUECOMMERCE.COM
Valid starting Expires Service principal
06/03/05 11:39:57 06/04/05 11:39:57 krbtgt/
VALUECOMMERCE.COM at VALUECOMMERCE.COM
renew until 06/03/05 11:39:57, Flags: FRI
06/03/05 11:40:03 06/04/05 11:39:57 host/
monster.sys.intra at VALUECOMMERCE.COM
renew until 06/03/05 11:39:57, Flags: FRT
Kerberos 4 ticket cache: /tmp/tkt5002
klist: You have no tickets cached
[chrome at nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun 3 12:25:17 2005 from 10.0.13.24
[chrome at monster.sys.intra ~]$ klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome at monster.sys.intra ~]$
It seems that after a few hops, i lose the ticket forwarding?
Regards,
Nathan.
--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.
Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
mailto:nathan at valuecommerce.co.jp
"The man who carries a cat by the tail learns something
that can be learned in no other way." - Mark Twain
More information about the Kerberos
mailing list