Kerberos auth based on ticket

Mathew Rowley mathew_rowley at cable.comcast.com
Mon Dec 15 19:55:51 EST 2008


Ok, using the correct hostname, the same thing happens:

[root at ipa01 ~]# ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:
Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain

**Trying to log in with a valid ticket, but asks for password
[mrowley at ipa01 ~]$ ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:

**Shows that there is a ticket
[mrowley at ipa01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ
Default principal: mrowley at IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 19:52:10  12/16/08 05:52:10  krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM
        renew until 12/15/08 19:52:10


Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached

**Showing the kerberos realm is the same as the ssh¹ed hostname
[mrowley at ipa01 ~]$ cat /etc/krb5.conf
...
[realms]
 IPA.COMCAST.COM = {
  kdc = ipa01.security.lab.comcast.com:88
  admin_server = ipa01.security.lab.comcast.com:749
  default_domain = security.lab.comcast.com
  database_module = openldap_ldapconf
 }
...


MAT



On 12/15/08 5:01 PM, "Russ Allbery" <rra at stanford.edu> wrote:

> Mathew Rowley <mathew_rowley at cable.comcast.com> writes:
> 
>> > Well, that would make sense... Looking at the sshd and ssh configurations,
>> > it seems to be enabled on both.  Is there some configuration I am missing?
>> >
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/ssh_config
>> >         GSSAPIAuthentication yes
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/sshd_config
>> > # GSSAPI options
>> > GSSAPIAuthentication yes
>> > GSSAPICleanupCredentials yes
> 
> Your original pasted example showed you ssh'ing to user at localhost.  Unless
> you have a key for localhost in your keytab, that probably isn't going to
> work.  ssh authenticates to the hostname that you type on the command
> line.
> 
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> 

-- 
MAT



More information about the Kerberos mailing list