help with Active Directory Kerberos authentication
Russ Allbery
rra at stanford.edu
Fri Oct 6 19:11:36 EDT 2006
Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:
> Kerberized telnet does not seem to work.
>
> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
> Trying 127.0.1.1...
> Connected to nfsv4etch (127.0.1.1).
> Escape character is '^]'.
> telnetd: Authorization failed.
> Connection closed by foreign host.
After you've run this command, do you have host tickets in your ticket
cache for the system you're logging on to?
> Also if I type ssh rohitm at nfsv4etch, it prompts me for my password.
> I was hoping it would just let me in with my ticket.
> I have set the following options in /etc/ssh/sshd_config
> KerberosAuthentication yes
> #KerberosGetAFSToken yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
This just tells OpenSSH to try verifying passwords with Kerberos. These
options don't control logging on with existing Kerberos credentials. For
that, you want:
GSSAPIAuthentication yes
and the equivalent on the client. Since you're using etch, install
openssh-server (rather than the mostly obsolete ssh-krb5 package), but
note that it doesn't enable GSSAPI by default and you have to change its
configuration and restart the server after installing it. Similarly,
you'll need to change your client configuration to enable GSSAPI
authentication.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list