Kerberos5 + SSH Questions

Lee Eric openlinuxsource at gmail.com
Tue Jan 4 06:23:59 EST 2011


Hi mate,

[root at herdingcat ericlee]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (AES-256 CTS
mode with 96-bit SHA-1 HMAC)
   2    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (AES-128 CTS
mode with 96-bit SHA-1 HMAC)
   3    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (Triple DES
cbc mode with HMAC/sha1)
   4    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (ArcFour
with HMAC/md5)
   5    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (DES with HMAC/sha1)
   6    2 host/ns.herdingcat.internal at HERDINGCAT.INTERNAL (DES cbc
mode with RSA-MD5)
ktutil:  [root at herdingcat ericlee]#

Yes, it was copy-pasted. So is there anything wrong?

Eric

On Tue, Jan 4, 2011 at 7:16 PM, Brian Candler <B.Candler at pobox.com> wrote:
> On Tue, Jan 04, 2011 at 06:57:20PM +0800, Lee Eric wrote:
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Key table entry not found
>
> Aha, that's your problem. What does the following show?
>
> # ktutil
> rkt /etc/krb5.keytab
> l -e
> ^D
>
> And what does 'klist' on the client show, after you've attempted to ssh?
>
>> So I notice that it was due to SSH server side cannot find keytab but
>> it exists in /etc/krb5.keytab:
>> -r--------. 1 root root 526 Jan  3 00:58 /etc/krb5.keytab
>
> It can find the keytab, but it can't find the right entry in the keytab.
>
> BTW, was that copy-pasted? I've never seen a '.' after the mode bits before.
>
> Regards,
>
> Brian.
>




More information about the Kerberos mailing list