Kerberos auth based on ticket

Chris Hoy Poy kryanth at gopc.net
Mon Dec 15 20:09:28 EST 2008


What does "ssh -v username@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least. 

//chris

----- Original Message -----
From: "Mathew Rowley" <mathew_rowley at cable.comcast.com>
To: "Russ Allbery" <rra at stanford.edu>
Cc: kerberos at mit.edu
Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi
Subject: Re: Kerberos auth based on ticket

Ok, using the correct hostname, the same thing happens:

[root at ipa01 ~]# ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:
Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain

**Trying to log in with a valid ticket, but asks for password
[mrowley at ipa01 ~]$ ssh mrowley@`hostname`
mrowley at ipa01.security.lab.comcast.com's password:

**Shows that there is a ticket
[mrowley at ipa01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ
Default principal: mrowley at IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 19:52:10  12/16/08 05:52:10  krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM
        renew until 12/15/08 19:52:10


Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached

**Showing the kerberos realm is the same as the ssh¹ed hostname
[mrowley at ipa01 ~]$ cat /etc/krb5.conf
...
[realms]
 IPA.COMCAST.COM = {
  kdc = ipa01.security.lab.comcast.com:88
  admin_server = ipa01.security.lab.comcast.com:749
  default_domain = security.lab.comcast.com
  database_module = openldap_ldapconf
 }
...


MAT



On 12/15/08 5:01 PM, "Russ Allbery" <rra at stanford.edu> wrote:

> Mathew Rowley <mathew_rowley at cable.comcast.com> writes:
> 
>> > Well, that would make sense... Looking at the sshd and ssh configurations,
>> > it seems to be enabled on both.  Is there some configuration I am missing?
>> >
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/ssh_config
>> >         GSSAPIAuthentication yes
>> > [root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/sshd_config
>> > # GSSAPI options
>> > GSSAPIAuthentication yes
>> > GSSAPICleanupCredentials yes
> 
> Your original pasted example showed you ssh'ing to user at localhost.  Unless
> you have a key for localhost in your keytab, that probably isn't going to
> work.  ssh authenticates to the hostname that you type on the command
> line.
> 
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> 

-- 
MAT
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list