Problem: passwordless SSH-login with Kerberos doesn't work

Simo Sorce ssorce at redhat.com
Mon Jun 15 18:41:30 EDT 2009


On Mon, 2009-06-15 at 10:03 +0200, Hans van Zijst wrote:
> And here's the log (at DEBUG level) of the SSH server:
> 
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version 
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure.  Minor code may provide more 
> information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup

Clearly the ssh server does not agree about what is the right name.

The hostname of the machine must the same name you set in the keytab.

That's what sshd uses (probably through gethostname()) to determine what
principal name to search for in the keytab.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Kerberos mailing list