Passwordless ssh - SOLVED -

jonr@destar.net jonr at destar.net
Mon Nov 12 13:26:46 EST 2007 

Quoting "Douglas E. Engert" <deengert at anl.gov>:

>
>
> Jon Reynolds wrote:
>> Hello,
>>
>> I have been trying to login without having to give a password after  
>>  I kinit. I can now login without passwords but I have to kinit on   
>> each box before it will work. Here is what I am doing:
>>
>>
>> 1 box is the KDC
>> 1 box is a remote host on same network
>>
>> I built my kdc and configured my ssh daemon to use kerberos on both  
>>  computers. I created a principal for my username and the two hosts  
>>  that I am testing between. I copied the krb5.keytab file to my   
>> remote host and setup the krb5.conf file on the remote host. I have  
>>  my .k5login file in my users home directory and I have checked all  
>>  the paths and verified all the files in my kdc.conf and my   
>> krb5.conf file.
>>
>> Now, to test, I first do a 'kdestroy' then I kinit. After this is   
>> done I can ssh from my KDC to my remote host and I am not asked to   
>> enter my password. But, if I try to ssh back to the KDC from the   
>> remote host I just logged into, it will ask me for a password. I   
>> can stop this behavior if I 'kinit' on the remote host. Then for   
>> the life of the ticket I can ssh back and forth between the two   
>> boxes without being asked to enter a password.
>>
>> I would like to be able to 'kinit' one time and not have to do it   
>> on each and every host. So, I must have screwed up somewhere or   
>> didn't understand what I was reading.
>>
>> Can anyone see my mistake or is there more information that someone  
>>  would need to help me?
>
> Two things:
>
>  As Ido Levy pointed out you need forwardable tickets so they can be
> forwarded.
>
>  In addition to using GSSAPIauthentication yes  which you must have
> already set,
>  you need to tell ssh to delegate (forward) credentials (tickets).
>  ssh needs the GSSAPIDelegateCredentials yes.  The default is no,   
> for security
>  reasons. You should only delegate to hosts you trust with your identity.
>  So best to put this in your own ~/.ssh/ssh_config for selected hosts.
>
Thank you Ido and Doug, I now have it working. It was the 'fowardable  
= true' that I was missing in my krb5.conf file. Also, thanks for the  
extra ssh info Doug, I will put them in my .ssh file from now on.

Jon

More information about the Kerberos mailing list