Kerberos5 + SSH Questions

Lee Eric openlinuxsource at
Tue Jan 4 06:31:37 EST 2011

So how do I know what client/server gets the idea of the server host
name? It looks like reverse map works well and they can get the same


On Tue, Jan 4, 2011 at 7:24 PM, Simon Wilkinson <simon at> wrote:
> On 4 Jan 2011, at 10:57, Lee Eric wrote:
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Key table entry not found
>> [...]
>> So I notice that it was due to SSH server side cannot find keytab but
>> it exists in /etc/krb5.keytab:
>> -r--------. 1 root root 526 Jan  3 00:58 /etc/krb5.keytab
>> What I suppose that is is there any sshd_config entry I need to setup
>> to indicate the path of keytab?
> Not that it can't find the keytab, but that the entry that sshd is looking for cannot be found in the keytab. This suggests that the principal that you've put into the keytab doesn't match the name that the machine knows itself by. ssh uses host/gethostbyname(gethostname()) as the default principal - as do many other Kerberised services. It's worth making sure that your machine's idea of its name is correct.
> OpenSSH with my patches does offer a way around this - you can use GSSAPIStrictAcceptorCheck no, to allow it to accept any key in the keytab - but see the discussions in another recent thread about the pros, and cons, of this. However, this only helps if the name picked by the client is correct matches on that's in the keytab. If you've got naming problems, and it sounds like you do, its worth sorting all of those out before trying to get Kerberos going.
> Cheers,
> Simon.

More information about the Kerberos mailing list