Hi list,
posted this earlier to c.s.ssh but got no response at all, so I hope I will have more luck here. Please tell me if this is OT and if so where to ask. Thanks -------------------------------------------------------------------------- I'm searching for documentation in order to authenticate ssh users against my kerberos database. The configuration directives in sshd_config and various postings on the net indicate, that this is possible via GSSAPI, but neither the manpage of sshd nor that of sshd_config seems to cover the subject. I searched openssh.org, the net and google groups for info but couldn't come up with something useful. I think I have a basic understanding how kerberos works and how to setup services to use it, (I actually set up successfully openldap with SASL-GSSAPI so the kerberos stuff should be working). As I couldn't find any documentation, I did the setup as follows: 1. compiled openssh-3.7.1_p2 with kerberos support. (ldd told me ;) 2. created a service principal ssh/[EMAIL PROTECTED] (tried with sshd/[EMAIL PROTECTED] but no luck either) 3. exported that principal to a keytab, readable by sshd 4. set KRB5_KTNAME to point to the keytab. 5. started sshd -ddd -------------------------------------------- ssh'ing from the client to the server gives: debug3: preferred gssapi, publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi debug3: Next authentication method: gssapi debug2: we sent a gssapi packet, wait for reply ... ... debug2: we did not sent a packet, disable method debug3: authmethod_lookup publickey ... then it goes further to normal password based auth. -------------------------------------------- On the server, I got the error: debug1: Miscellaneous failure No principal in keytab matches desired name I'm stuck here, what is the "desired name"? FYI, I did not get a service ticket and sshd does not raise an error when the TGT is expired. Does anyone know where all this is documented? thanks Paul ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
