help with Active Directory Kerberos authentication

Russ Allbery rra at
Fri Oct 6 19:11:36 EDT 2006

Rohit Kumar Mehta <rohitm at> writes:

> Kerberized telnet does not seem to work.
> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
> Trying
> Connected to nfsv4etch (
> Escape character is '^]'.
> telnetd: Authorization failed.
> Connection closed by foreign host.

After you've run this command, do you have host tickets in your ticket
cache for the system you're logging on to?

> Also if I type ssh rohitm at nfsv4etch, it prompts me for my password.
> I was hoping it would just let me in with my ticket.
> I have set the following options in /etc/ssh/sshd_config

> KerberosAuthentication yes
> #KerberosGetAFSToken yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes

This just tells OpenSSH to try verifying passwords with Kerberos.  These
options don't control logging on with existing Kerberos credentials.  For
that, you want:

    GSSAPIAuthentication yes

and the equivalent on the client.  Since you're using etch, install
openssh-server (rather than the mostly obsolete ssh-krb5 package), but
note that it doesn't enable GSSAPI by default and you have to change its
configuration and restart the server after installing it.  Similarly,
you'll need to change your client configuration to enable GSSAPI

Russ Allbery (rra at             <>

More information about the Kerberos mailing list