Kerberos5 + SSH Questions

Brian Candler B.Candler at pobox.com
Mon Jan 3 12:54:56 EST 2011


On Mon, Jan 03, 2011 at 09:02:59PM +0800, Lee Eric wrote:
> My server OS is Fedora 14 and Kerberos version is 1.8.2-6 by using RPM
> based. I tried to make SSH combined with Kerberos but it looks like
> the authentication is failure when using Kerberos. Meanwhile, I don't
> know where I did wrong in configuration file.
> 
> The attachment is necessary configuration I use.

I didn't see any attachment.

Basic checks are:

* Do you have "GSSAPIAuthentication yes" in /etc/ssh/sshd_config on the
  server? (note: not KerberosAuthentication. That is password authentication
  checked against the KDC)

* Do you have "GSSAPIAuthentication yes" in /etc/ssh/ssh_config on the
  client?

Plus usual kerberos stuff:
* Are your clocks in sync?
* Did the client sucecessfully get a ticket? (kinit)
* Does the server have correct forward and reverse DNS?

To debug this further, I suggest you run a temporary sshd in debugging mode
on a different port on the server:

    # /usr/sbin/sshd -d -p99

and on the client:

    $ kinit username
    $ ssh -p99 -v username at server

Now you should have logs at both the client side and the server side, which
may show what's going wrong.

Regards,

Brian.



More information about the Kerberos mailing list