How to get sshd w/ Kerberos on Mac OSX working
senseiwa at mac.com
Thu Jun 15 13:50:08 EDT 2006
On 2006-06-15 00:18:15 +0200, mba2000 at ioplex.com (Michael B Allen) said:
> What do you have to do to get sshd to do Kerberos on Mac OSX?
Nothing except enabling kerberos login (ssh worked out of the box to
me). Just google for that it's pretty easy (OSX has kerberos built in).
> I created an /etc/krb5.keytab and tried adding GSSAPIAuthentication yes to
> /etc/sshd_config but from looking at captures it doesn't even try anything
> remotely Kerberos related. I always get prompted for a password. I can ssh
> to a linux machine in the same enviroment and it works perfectly. Using
> otool -L I can see sshd is linked with the Kerberos Framework.
> The log messages are:
> Jun 14 17:47:15 mini xinetd: service ssh, IPV6_ADDRFORM
> setsockopt() failed: Protocol not available (errno = 42)
> Jun 14 17:47:15 mini xinetd: START: ssh pid=1325 from=192.168.2.16
> Jun 14 17:47:15 mini sshd: Generating 768 bit RSA key.
> Jun 14 17:47:15 mini sshd: RSA key generation complete.
> Jun 14 17:47:15 mini sshd: Connection from 192.168.2.16 port 34541
> Jun 14 17:47:15 mini sshd: reverse mapping checking getaddrinfo
> for quark.foo.net failed - POSSIBLE BREAKIN ATTEMPT!
> Jun 14 17:47:15 mini sshd: Failed none for miallen from
> 192.168.2.16 port 34541 ssh2
> That "reverse mapping" error is bogus. I have a perfectly good reverse
> zone. From looking at captures it appear to do an IPv6 lookup and then
> gives up. If it had tried a standard lookup it would have found the name.
What version of OSX? How did you enable kerberos? Can you kinit on the mac?
Sensei <senseiwa at mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
More information about the Kerberos