Kerberos Single sign on not working

Greg Hudson ghudson at MIT.EDU
Mon May 27 20:41:21 EDT 2013

I don't know what's wrong, but I have some ideas for gathering more
information.  From what you've posted, it appears that:

1. kinit can send an AS requests to the realm's KDC (because kinit works)
2. kinit can receive an AS reply from the realm's KDC (because kinit works)
3. ssh can send a TGS request to the realm's KDC (because the request
appears in the log)
4. ssh cannot receive a TGS reply from the realm's KDC (because of the
error message in the ssh -v output).

Some things which might help determine what's wrong:

* Set the KRB5_TRACE environment variable to a filename before running
kinit and then ssh.  Comparing the resulting trace output may determine
if ssh is somehow behaving differently from kinit.

* Run "kvno host/remote-hostname" to see if you can successfully make
TGS requests from a program other than ssh.

On 05/27/2013 04:02 PM, kannan rbk wrote:
> Dear team,
> I am using Kerberos 5. I configured single sign on in ssh. I had a ticket
> but I cannot login without password.
> I changed "GSSAPIAuthentication yes" in sshd_config and
> "GSSAPIAuthentication yes,GSSDelegateCredentials yes" in ssh_config.
> Error Trace From "ssh -v"
> Cannot connect any kdc server
> It's repeated 3 times. In Kerberos server log, it requests TGS request 4
> times. I am trying to ssh centos machine from Ubuntu. Kinit is working
> fine. I am able to login without password from centos to Ubuntu.
> Please help me.
> Regards,
> Bharathi Kannan R

More information about the Kerberos mailing list