Passwordless ssh

Ido Levy IDOL at il.ibm.com
Sun Nov 11 04:35:34 EST 2007


Hello,

Maybe your problem is that your ticket isn't forwardable.
In /etc/krb5.conf try to add 'forwardable = true' under the [libdefaults]
section.

Also when executing kinit you can try to use the -f option ?

Regarding the sshd_config I use the following options:

PasswordAuthentication yes
GSSAPIAuthentication yes
UsePAM yes

Best Regards,

Ido Levy


                                                                           
             Jon Reynolds                                                  
             <jonr at destar.net>                                             
             Sent by:                                                   To 
             kerberos-bounces@         kerberos at mit.edu                    
             mit.edu                                                    cc 
                                                                           
                                                                   Subject 
             11/11/2007 09:49          Passwordless ssh                    
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
              jonr at destar.net                                              
                                                                           
                                                                           




Hello,

I have been trying to login without having to give a password after I
kinit. I can now login without passwords but I have to kinit on each box
before it will work. Here is what I am doing:


1 box is the KDC
1 box is a remote host on same network

I built my kdc and configured my ssh daemon to use kerberos on both
computers. I created a principal for my username and the two hosts that
I am testing between. I copied the krb5.keytab file to my remote host
and setup the krb5.conf file on the remote host. I have my .k5login file
in my users home directory and I have checked all the paths and verified
all the files in my kdc.conf and my krb5.conf file.

Now, to test, I first do a 'kdestroy' then I kinit. After this is done I
can ssh from my KDC to my remote host and I am not asked to enter my
password. But, if I try to ssh back to the KDC from the remote host I
just logged into, it will ask me for a password. I can stop this
behavior if I 'kinit' on the remote host. Then for the life of the
ticket I can ssh back and forth between the two boxes without being
asked to enter a password.

I would like to be able to 'kinit' one time and not have to do it on
each and every host. So, I must have screwed up somewhere or didn't
understand what I was reading.

Can anyone see my mistake or is there more information that someone
would need to help me?

Thanks for any help,

Jon


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list