Kerberos5 + SSH Questions

Brian Candler B.Candler at
Mon Jan 3 12:54:56 EST 2011

On Mon, Jan 03, 2011 at 09:02:59PM +0800, Lee Eric wrote:
> My server OS is Fedora 14 and Kerberos version is 1.8.2-6 by using RPM
> based. I tried to make SSH combined with Kerberos but it looks like
> the authentication is failure when using Kerberos. Meanwhile, I don't
> know where I did wrong in configuration file.
> The attachment is necessary configuration I use.

I didn't see any attachment.

Basic checks are:

* Do you have "GSSAPIAuthentication yes" in /etc/ssh/sshd_config on the
  server? (note: not KerberosAuthentication. That is password authentication
  checked against the KDC)

* Do you have "GSSAPIAuthentication yes" in /etc/ssh/ssh_config on the

Plus usual kerberos stuff:
* Are your clocks in sync?
* Did the client sucecessfully get a ticket? (kinit)
* Does the server have correct forward and reverse DNS?

To debug this further, I suggest you run a temporary sshd in debugging mode
on a different port on the server:

    # /usr/sbin/sshd -d -p99

and on the client:

    $ kinit username
    $ ssh -p99 -v username at server

Now you should have logs at both the client side and the server side, which
may show what's going wrong.



More information about the Kerberos mailing list