openssh + kerberos + windows ad
Javier Palacios
javiplx at gmail.com
Mon Jan 4 12:41:04 EST 2010
> login as: mmezzanotti
> Using keyboard-interactive authentication.
> Password:
> Last login: Wed Dec 30 14:00:19 2009 from localhost
> Have a lot of fun...
> mmezzanotti at os112:~> ls
> bin Documents Music Public Templates
> Desktop Download Pictures public_html Videos
> mmezzanotti at os112:~> klist
> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
> Default principal: mmezzanotti at VMWARELAB.INT
>
> Valid starting Expires Service principal
> 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT at VMWARELAB.INT
> renew until 01/05/10 13:58:36
I'm not sure if you are actually testing ticket authentication, but
just kerberos password authentication (by far much easier).
To actually check what you want, I recommend you start working just on
the linux node, and enter as whichever user. then
# kinit mmezzanotti
# ssh mmezzanotti at os112
If it does ask you for password, then credential authentication is not
working. And depending if your TGT was proxyable or not, you might
even end with void output from klist.
Someone answered about the need of a host keytab to achieve this. As
far as I remember that is not mandatory for linux (or wasn't for a
debian in 2004), but take into account.
> mmezzanotti at os112:~> ssh -vvv mmezzanotti at os112.vmwarelab.int
>
Try adding 'debug' to all pam.d lines on kerberos. That will produce a
much less verbose and hopefully more useful info.
More information about the Kerberos
mailing list