GSSAPI Issue

Bram Cymet bcymet at cbnco.com
Wed Nov 24 12:10:38 EST 2010 

  Hi,

I am having this weird problem using GSSAPI deligation with SSH.

I am using pam_krb5 on the server side aswell.

If I just ssh with no tickets on my local machine it will ask me for a 
password and  I can then run a klist on the server and see:

ssh bcymet at LS.CBN@mgaauth1.ni.ls.cbn

Password:

Last login: Wed Nov 24 11:00:06 2010 from 172.20.250.139

bcymet at LS.CBN@mgaauth1:~>  klist

Ticket cache: FILE:/tmp/krb5cc_5002_v11419

Default principal: bcymet at LS.CBN

Valid starting     Expires            Service principal

11/24/10 11:05:43  11/24/10 21:05:43  krbtgt/LS.CBN at LS.CBN

     renew until 11/25/10 11:05:41


however if I kinit first:

bcymet at linux-s6k6:/etc>  kinit bcymet at LS.CBN

bcymet at linux-s6k6:/etc>  klist

Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: bcymet at LS.CBN

Valid starting     Expires            Service principal

11/24/10 12:06:56  11/24/10 22:06:56  krbtgt/LS.CBN at LS.CBN

     renew until 11/25/10 12:06:47

bcymet at linux-s6k6:/etc>  ssh bcymet at LS.CBN@mgaauth1.ni.ls.cbn

Last login: Wed Nov 24 11:05:43 2010 from 172.20.250.139

bcymet at LS.CBN@mgaauth1:~>  klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_5002)



So it allows me to ssh without a password (as I want) but then when I 
try to klist on the server I don't seem to have a credentials cache and 
I am fairly sure I should have one.

After leaving the server my credentials cache looks as expected:

bcymet at LS.CBN@mgaauth1:~>  exit

logout

Connection to mgaauth1.ni.ls.cbn closed.

bcymet at linux-s6k6:/etc>  klist

Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: bcymet at LS.CBN

Valid starting     Expires            Service principal

11/24/10 12:06:56  11/24/10 22:06:56  krbtgt/LS.CBN at LS.CBN

     renew until 11/25/10 12:06:47

11/24/10 12:07:32  11/24/10 22:06:56  krbtgt/NI.LS.CBN at LS.CBN

     renew until 11/25/10 12:06:47

11/24/10 12:07:37  11/24/10 22:06:56  host/mgaauth1.ni.ls.cbn at NI.LS.CBN

     renew until 11/25/10 12:06:47



This is a cross realm setup.

Any ideas what could be going on?

Thanks,

-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752

More information about the Kerberos mailing list