kerberos, hpux 11.11, ssh
Christopher D. Clausen
cclausen at acm.org
Wed May 9 15:11:31 EDT 2007
Wilson, Michael <michael.wilson at diebold.com> wrote:
> ***KLIST -kte***
> [abc]:/var/adm/syslog # klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> 6 05/08/07 16:12:33 host/abc at KDC.DIEBOLD.COM (DES cbc mode with
> ***HOSTS FILE***
> [abc]:/etc $ cat hosts
> 10.9.1.1 abc
> 127.0.0.1 localhost loopback
Well, I suspect that should be using a FQDN and not just "host/abc"
does kinit -kt /etc/krb5.keytab host/abc
(you should not get any messages, and klist should show tickets for the
> [abc]:/etc # cat krb5.conf
> default = FILE:/var/adm/krb5lib.log
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kKDCmind.log
> ticket_liftetime = 24000
> default_realm = KDC.DIEBOLD.COM
Your Windows AD domain is called KDC.DIEBOLD.COM ? That doesn't sound
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
> default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5
Delete the above two lines. Hardcoding enctypes is a bad idea and will
cause you much pain in the future.
> The keytab was added earlier and is now in place.
> After I read your email I reviewed a few things and here is where we
> are now:
> We can telnet into 'abc' and we get authenticated via active
> directory. When we use ssh to try this we get rejected.
Authenticated using Kerberos tickets? OR via typing in a password?
What EXACT error message do you get from SSH? And is the error message
actually from SSH itself? Or from whatever PAM type stuff that hpux
> We have tried to find results for this on the internet, but have had
> No viable luck.
try the following:
kinit -f -5 -p <user>@<REALM>
ssh -vvv -o "GSSAPIAuthentication yes" <machine>
(Ctrl-C it if you get a password prompt or if it doesn't work.)
(yes, again, and look for a host/* ticket)
And what does your sshd_config file look like?
More information about the Kerberos