Quoting "Douglas E. Engert" <[EMAIL PROTECTED]>: > > > Jon Reynolds wrote: >> Hello, >> >> I have been trying to login without having to give a password after >> I kinit. I can now login without passwords but I have to kinit on >> each box before it will work. Here is what I am doing: >> >> >> 1 box is the KDC >> 1 box is a remote host on same network >> >> I built my kdc and configured my ssh daemon to use kerberos on both >> computers. I created a principal for my username and the two hosts >> that I am testing between. I copied the krb5.keytab file to my >> remote host and setup the krb5.conf file on the remote host. I have >> my .k5login file in my users home directory and I have checked all >> the paths and verified all the files in my kdc.conf and my >> krb5.conf file. >> >> Now, to test, I first do a 'kdestroy' then I kinit. After this is >> done I can ssh from my KDC to my remote host and I am not asked to >> enter my password. But, if I try to ssh back to the KDC from the >> remote host I just logged into, it will ask me for a password. I >> can stop this behavior if I 'kinit' on the remote host. Then for >> the life of the ticket I can ssh back and forth between the two >> boxes without being asked to enter a password. >> >> I would like to be able to 'kinit' one time and not have to do it >> on each and every host. So, I must have screwed up somewhere or >> didn't understand what I was reading. >> >> Can anyone see my mistake or is there more information that someone >> would need to help me? > > Two things: > > As Ido Levy pointed out you need forwardable tickets so they can be > forwarded. > > In addition to using GSSAPIauthentication yes which you must have > already set, > you need to tell ssh to delegate (forward) credentials (tickets). > ssh needs the GSSAPIDelegateCredentials yes. The default is no, > for security > reasons. You should only delegate to hosts you trust with your identity. > So best to put this in your own ~/.ssh/ssh_config for selected hosts. > Thank you Ido and Doug, I now have it working. It was the 'fowardable = true' that I was missing in my krb5.conf file. Also, thanks for the extra ssh info Doug, I will put them in my .ssh file from now on.
Jon ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
