Parag needs to provide a little more information. We are running OpenSSH-3.6.1p2 with Simon's patch. Works great.
Do a klist -f before and after on the client to see the tickets. On the new ssh session to the first host, also do echo $KRB5CCNAME and klist -f to see if you did get a forwarded ticket. Start a test version of the sshd -p 2222 -d -d -d on the server then on the client do a ssh -p 2222 -v -v -v so as to get the traces on both ends. On the server, also do a ls -l /tmp/krb5* and see if a new cache was created with the forwarded ticket. It could be the env is not being set. If you have access to the KDC, look at the syslog to see tickets being issued. You should see an additional TGT being issued, which will be forwarded. Does the sshd_config have: GssapiAuthentication yes I think this is the default, but you can try it. Donn Cave wrote: > > In article <[EMAIL PROTECTED]>, > Frank Cusack <[EMAIL PROTECTED]> wrote: > > Wow. Lots of info. :-) I'll quote it all, since it's so involved that > > it will be useful to have a complete reference in a single message. > > Good - so, folks who want that complete reference: you know where to go! > > > No. Only if you want to use ssh protocol 2. ahhh... this is the problem. > > By default, ssh will select protocol 2. Which doesn't support krb5. So > > you must tell it to use protocol 1, and probably must tell the server > > to do krb5 (probably sshd_config on the server doesn't accept krb5 by > > default). > > I found this all a little confusing, and I'm sure there are people > here who know more about the GSSAPI OpenSSH patch, but in case it > helps ... The way I read it, he applied this patch with the expectation > that it provides Kerberos support for protocol 2, and that is true - > it should. Only between patched OpenSSH servers and clients, because > unfortunately it doesn't interoperate with the ssh.com approach to > Kerberos 5 for protocol 2. I agree that ssh -v ought to help narrow > down the problem. It might be worth trying some other Kerberos 5 > application - I believe we're talking about Redhat Linux here, where > the telnet and ftp applications should support Kerberos 5. > > Secondly I think the term "forwarding" doesn't apply to the scenarios > I'm reading about here. If you log in to sshd with your Kerberos > password, the remote credentials acquired in the process are actually > local in this sense - they reside on the host that acquired them, as > sshd did that. When used to authenticate to some service from there, > that's just simple basic Kerberos authentication, no forwarding needed. > > Donn Cave, [EMAIL PROTECTED] > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
