Passwordless ssh

Douglas E. Engert deengert at anl.gov
Mon Nov 12 09:55:13 EST 2007 


Jon Reynolds wrote:
> Hello,
> 
> I have been trying to login without having to give a password after I 
> kinit. I can now login without passwords but I have to kinit on each box 
> before it will work. Here is what I am doing:
> 
> 
> 1 box is the KDC
> 1 box is a remote host on same network
> 
> I built my kdc and configured my ssh daemon to use kerberos on both 
> computers. I created a principal for my username and the two hosts that 
> I am testing between. I copied the krb5.keytab file to my remote host 
> and setup the krb5.conf file on the remote host. I have my .k5login file 
> in my users home directory and I have checked all the paths and verified 
> all the files in my kdc.conf and my krb5.conf file.
> 
> Now, to test, I first do a 'kdestroy' then I kinit. After this is done I 
> can ssh from my KDC to my remote host and I am not asked to enter my 
> password. But, if I try to ssh back to the KDC from the remote host I 
> just logged into, it will ask me for a password. I can stop this 
> behavior if I 'kinit' on the remote host. Then for the life of the 
> ticket I can ssh back and forth between the two boxes without being 
> asked to enter a password.
> 
> I would like to be able to 'kinit' one time and not have to do it on 
> each and every host. So, I must have screwed up somewhere or didn't 
> understand what I was reading.
> 
> Can anyone see my mistake or is there more information that someone 
> would need to help me?

Two things:

  As Ido Levy pointed out you need forwardable tickets so they can be forwarded.

  In addition to using GSSAPIauthentication yes  which you must have already set,
  you need to tell ssh to delegate (forward) credentials (tickets).
  ssh needs the GSSAPIDelegateCredentials yes.  The default is no, for security
  reasons. You should only delegate to hosts you trust with your identity.
  So best to put this in your own ~/.ssh/ssh_config for selected hosts.

> 
> Thanks for any help,
> 
> Jon
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list