Kerberos auth based on ticket
Chris Hoy Poy
kryanth at gopc.net
Mon Dec 15 20:09:28 EST 2008
What does "ssh -v username@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least.
//chris
----- Original Message -----
From: "Mathew Rowley" <mathew_rowley at cable.comcast.com>
To: "Russ Allbery" <rra at stanford.edu>
Cc: kerberos at mit.edu
Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi
Subject: Re: Kerberos auth based on ticket
Ok, using the correct hostname, the same thing happens:
[root at ipa01 ~]# ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:
Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain
**Trying to log in with a valid ticket, but asks for password
[mrowley at ipa01 ~]$ ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:
**Shows that there is a ticket
[mrowley at ipa01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ
Default principal: mrowley at IPA.COMCAST.COM
Valid starting Expires Service principal
12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM
renew until 12/15/08 19:52:10
Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached
**Showing the kerberos realm is the same as the ssh¹ed hostname
[mrowley at ipa01 ~]$ cat /etc/krb5.conf
...
[realms]
IPA.COMCAST.COM = {
kdc = ipa01.security.lab.comcast.com:88
admin_server = ipa01.security.lab.comcast.com:749
default_domain = security.lab.comcast.com
database_module = openldap_ldapconf
}
...
MAT
On 12/15/08 5:01 PM, "Russ Allbery" <rra at stanford.edu> wrote:
> Mathew Rowley <mathew_rowley at cable.comcast.com> writes:
>
>> > Well, that would make sense... Looking at the sshd and ssh configurations,
>> > it seems to be enabled on both. Is there some configuration I am missing?
>> >
>> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config
>> > GSSAPIAuthentication yes
>> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config
>> > # GSSAPI options
>> > GSSAPIAuthentication yes
>> > GSSAPICleanupCredentials yes
>
> Your original pasted example showed you ssh'ing to user at localhost. Unless
> you have a key for localhost in your keytab, that probably isn't going to
> work. ssh authenticates to the hostname that you type on the command
> line.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
--
MAT
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list