Solaris 10 sshd + GSSAPI = where's my cred cache?

Jeff Blaine jblaine at kickflop.net
Mon Nov 5 11:31:57 EST 2007 

Nicolas et al,

==== SSHD server ====================================================

~:alberta> uname -a
SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
~:alberta>

~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
"GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
"GSSAPIAuthentication yes" -ddd

==== SSH client =====================================================

~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
         GSSAPIAuthentication yes
~:rcf-kerbtest-linux> ls .ssh/config
ls: .ssh/config: No such file or directory
~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
Default principal: jblaine at RCF.FOO.COM

Valid starting     Expires            Service principal
11/01/07 14:30:02  11/08/07 13:30:02  krbtgt/RCF.FOO.COM at RCF.FOO.COM
         Flags: FI
11/01/07 14:30:02  11/08/07 13:30:02  afs at RCF.FOO.COM
         Flags: FT
11/01/07 14:30:27  11/08/07 13:30:02  host/alberta.foo.com at RCF.FOO.COM
         Flags: FT


Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
Last login: Mon Nov  5 11:15:47 2007 from rcf-kerbtest-li
...
~:alberta> /usr/bin/klist
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_26560)
~:alberta>

==== SSHD server reports =======================================
...
debug1: userauth-request for user jblaine service ssh-connection method 
gssapi-with-mic
debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } 
(supported)
debug2: Mapping initiator GSS-API principal to local username
debug2: Mapped the initiator to: jblaine
debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
debug3: Trying to reverse map address xxx.xx.11.213.
debug3: Not storing delegated GSS credentials (none delegated)
Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
...

More information about the Kerberos mailing list