ssh gssapi-with-mic and "Key table entry not found"
Greg Hudson
ghudson at MIT.EDU
Wed Aug 8 12:33:46 EDT 2012
On 08/08/2012 12:03 PM, Matt Garman wrote:
> I don't know enough about how Kerberos works, but I'll speculate a
> guess as to what was wrong yesterday: after a failed gssapi-with-mic
> login attempt, some "residual stuff" gets attached to the original
> TGT, some kind of "cache" of the "permission denied" situation.
There's no cache for failure, but there is a cache of service tickets.
For example, if you ssh to a host, then roll over the host's key without
keeping the old key in the host's keytab, then ssh to it again, you will
get a failure because the client has a cached ticket encrypted in the
old key. Running kdestroy and kinit (or just kinit) gets rid of any
cached services tickets. This is why, by default, kadmin ktadd adds to
the existing keytab rather than overwriting it.
If the server is running krb5 1.7 or later, this kind of problem should
result in a "Wrong principal in request" error in the sshd output (which
is still not very clear, but at least helps distinguish the problem from
sshd trying to acquire the wrong credentials). If the server is running
krb5 1.6.x (as in your case), the error will be "Key able entry not found".
More information about the Kerberos
mailing list