Using OpenSSH with multiple Kerberos principals

Jiawen Chen jiawen at MIT.EDU
Tue Mar 9 02:01:27 EST 2010 

	I apologize if this is the wrong list on which to ask help.  If that's the case, please send me a pointer to the right list (perhaps the OpenSSH list?).

	I have two Kerberos principals, jiawen at ATHENA.MIT.EDU and jiawen at CSAIL.MIT.EDU, which I like to use with OpenSSH to connect log in to dialup servers at athena and csail, respecitvely, without passwords.  I'm using OpenSSH 5.2p1 on Mac OS X 10.6.

	My .ssh/config is set so that Kerberos is being used:

$ cat .ssh/config
ForwardX11 yes
ForwardAgent yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

	And when used individually, I can log into athena and csail without passwords:

$ kdestroy -A
$ kinit jiawen at ATHENA.MIT.EDU

$ klist -A
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jiawen at ATHENA.MIT.EDU

Valid Starting     Expires            Service Principal
03/09/10 01:56:42  03/09/10 11:56:42  krbtgt/ATHENA.MIT.EDU at ATHENA.MIT.EDU
	renew until 03/16/10 02:56:42

$ ssh linux.dialup.mit.edu
<I can log in without a password>

Similarly, for login.csail.mit.edu.  However, if I acquire both principals, OpenSSH appears to use only the latest one:

$ kinit jiawen at CSAIL.MIT.EDU
$ klist
Kerberos 5 ticket cache: 'API:3'
Default principal: jiawen at CSAIL.MIT.EDU

Valid Starting     Expires            Service Principal
03/09/10 01:58:15  03/09/10 11:58:14  krbtgt/CSAIL.MIT.EDU at CSAIL.MIT.EDU
	renew until 03/16/10 02:58:15

$ klist -A
Kerberos 5 ticket cache: 'API:3'
Default principal: jiawen at CSAIL.MIT.EDU

Valid Starting     Expires            Service Principal
03/09/10 01:58:15  03/09/10 11:58:14  krbtgt/CSAIL.MIT.EDU at CSAIL.MIT.EDU
	renew until 03/16/10 02:58:15


-------------------------------------------------------------------------------
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jiawen at ATHENA.MIT.EDU

Valid Starting     Expires            Service Principal
03/09/10 01:56:42  03/09/10 11:56:42  krbtgt/ATHENA.MIT.EDU at ATHENA.MIT.EDU
	renew until 03/16/10 02:56:42




Once the default principal has been set to the CSAIL one, I can no longer access linux.dialup.mit.edu without a password.  Is there a way to make OpenSSH "search" for the appropriate one?  Or is there a magic command to change the default principal, so I can script my way around the problem?

Thanks,

Jiawen

More information about the Kerberos mailing list