Solaris 10 sshd + GSSAPI = where's my cred cache?

Douglas E. Engert deengert at anl.gov
Mon Nov 5 13:54:12 EST 2007 


Jeff Blaine wrote:
> Solved.
> 
> Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
> even though it was not defined anywhere as "no" (although probably
> a default for some reason).

Are you sure that was it? GSSAPIStoreDelegatedCredentials is a server side
option and defaults to yes. The client side option is GSSAPIDelegateCredentials
and defaults to no for security reasons. (You should only delegate to trusted
machines.)

man ssh_config and man sshd_config shows the options.

> 
> Jeff Blaine wrote:
>> Nicolas et al,
>>
>> ==== SSHD server ====================================================
>>
>> ~:alberta> uname -a
>> SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
>> ~:alberta>
>>
>> ~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
>> "GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
>> "GSSAPIAuthentication yes" -ddd
>>
>> ==== SSH client =====================================================
>>
>> ~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
>>         GSSAPIAuthentication yes
>> ~:rcf-kerbtest-linux> ls .ssh/config
>> ls: .ssh/config: No such file or directory
>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
>> Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
>> Default principal: jblaine at RCF.FOO.COM
>>
>> Valid starting     Expires            Service principal
>> 11/01/07 14:30:02  11/08/07 13:30:02  krbtgt/RCF.FOO.COM at RCF.FOO.COM
>>         Flags: FI
>> 11/01/07 14:30:02  11/08/07 13:30:02  afs at RCF.FOO.COM
>>         Flags: FT
>> 11/01/07 14:30:27  11/08/07 13:30:02  host/alberta.foo.com at RCF.FOO.COM
>>         Flags: FT
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt26560
>> klist: You have no tickets cached
>> ~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
>> Last login: Mon Nov  5 11:15:47 2007 from rcf-kerbtest-li
>> ...
>> ~:alberta> /usr/bin/klist
>> klist: No credentials cache file found (ticket cache 
>> FILE:/tmp/krb5cc_26560)
>> ~:alberta>
>>
>> ==== SSHD server reports =======================================
>> ...
>> debug1: userauth-request for user jblaine service ssh-connection method 
>> gssapi-with-mic
>> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
>> debug2: input_userauth_request: try method gssapi-with-mic
>> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } 
>> (supported)
>> debug2: Mapping initiator GSS-API principal to local username
>> debug2: Mapped the initiator to: jblaine
>> debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
>> debug3: Trying to reverse map address xxx.xx.11.213.
>> debug3: Not storing delegated GSS credentials (none delegated)
>> Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
>> ...
>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list