Solaris 10 sshd + GSSAPI = where's my cred cache?

Jeff Blaine jblaine at kickflop.net
Mon Nov 5 12:06:14 EST 2007


Solved.

Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
even though it was not defined anywhere as "no" (although probably
a default for some reason).

Jeff Blaine wrote:
> Nicolas et al,
> 
> ==== SSHD server ====================================================
> 
> ~:alberta> uname -a
> SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
> ~:alberta>
> 
> ~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
> "GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
> "GSSAPIAuthentication yes" -ddd
> 
> ==== SSH client =====================================================
> 
> ~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
>         GSSAPIAuthentication yes
> ~:rcf-kerbtest-linux> ls .ssh/config
> ls: .ssh/config: No such file or directory
> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
> Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
> Default principal: jblaine at RCF.FOO.COM
> 
> Valid starting     Expires            Service principal
> 11/01/07 14:30:02  11/08/07 13:30:02  krbtgt/RCF.FOO.COM at RCF.FOO.COM
>         Flags: FI
> 11/01/07 14:30:02  11/08/07 13:30:02  afs at RCF.FOO.COM
>         Flags: FT
> 11/01/07 14:30:27  11/08/07 13:30:02  host/alberta.foo.com at RCF.FOO.COM
>         Flags: FT
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt26560
> klist: You have no tickets cached
> ~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
> Last login: Mon Nov  5 11:15:47 2007 from rcf-kerbtest-li
> ...
> ~:alberta> /usr/bin/klist
> klist: No credentials cache file found (ticket cache 
> FILE:/tmp/krb5cc_26560)
> ~:alberta>
> 
> ==== SSHD server reports =======================================
> ...
> debug1: userauth-request for user jblaine service ssh-connection method 
> gssapi-with-mic
> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
> debug2: input_userauth_request: try method gssapi-with-mic
> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } 
> (supported)
> debug2: Mapping initiator GSS-API principal to local username
> debug2: Mapped the initiator to: jblaine
> debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
> debug3: Trying to reverse map address xxx.xx.11.213.
> debug3: Not storing delegated GSS credentials (none delegated)
> Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
> ...
> 
> 



More information about the Kerberos mailing list