Kerberos auth based on ticket

Chris Hoy Poy kryanth at
Mon Dec 15 20:09:28 EST 2008

What does "ssh -v username@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least. 


----- Original Message -----
From: "Mathew Rowley" <mathew_rowley at>
To: "Russ Allbery" <rra at>
Cc: kerberos at
Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi
Subject: Re: Kerberos auth based on ticket

Ok, using the correct hostname, the same thing happens:

[root at ipa01 ~]# ssh mrowley@`hostname`
mrowley at's password:
Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain

**Trying to log in with a valid ticket, but asks for password
[mrowley at ipa01 ~]$ ssh mrowley@`hostname`
mrowley at's password:

**Shows that there is a ticket
[mrowley at ipa01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ
Default principal: mrowley at IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 19:52:10  12/16/08 05:52:10  krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM
        renew until 12/15/08 19:52:10

Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached

**Showing the kerberos realm is the same as the ssh¹ed hostname
[mrowley at ipa01 ~]$ cat /etc/krb5.conf
  kdc =
  admin_server =
  default_domain =
  database_module = openldap_ldapconf


On 12/15/08 5:01 PM, "Russ Allbery" <rra at> wrote:

> Mathew Rowley <mathew_rowley at> writes:
>> > Well, that would make sense... Looking at the sshd and ssh configurations,
>> > it seems to be enabled on both.  Is there some configuration I am missing?
>> >
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/ssh_config
>> >         GSSAPIAuthentication yes
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/sshd_config
>> > # GSSAPI options
>> > GSSAPIAuthentication yes
>> > GSSAPICleanupCredentials yes
> Your original pasted example showed you ssh'ing to user at localhost.  Unless
> you have a key for localhost in your keytab, that probably isn't going to
> work.  ssh authenticates to the hostname that you type on the command
> line.
> --
> Russ Allbery (rra at             <>

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list