GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH principals?

Adam Megacz megacz at cs.berkeley.edu
Tue Jun 8 14:03:10 EDT 2010


Russ Allbery <rra at stanford.edu> writes:
> Check the host/* principal on the system to which you were authenticating.
> I bet that the REQUIRES_PRE_AUTH flag was set for it, which means that
> only tickets that are pre-authenticated can authenticate to that service
> principal.

Indeed, that was it!  Russ saves the day again.

Curious: I assume that the failure mode here is some variation on the
sshd machine asking the KDC for a delegation and the KDC refusing.  Does
the refusal include enough information to produce an error message
(either in the sshd log or elsewhere) mentioning this as the reason for
the failure?

In general I find that sshd really does a very poor job explaining the
reason why things went wrong when it comes to Kerberos/GSSAPI.  I've got
some free cycles this summer that I can put towards fixing that if it's
something that can be fixed.

  - a




More information about the Kerberos mailing list