Ok, using the correct hostname, the same thing happens: [r...@ipa01 ~]# ssh mrow...@`hostname` [email protected]'s password: Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain
**Trying to log in with a valid ticket, but asks for password [mrow...@ipa01 ~]$ ssh mrow...@`hostname` [email protected]'s password: **Shows that there is a ticket [mrow...@ipa01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ Default principal: [email protected] Valid starting Expires Service principal 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/[email protected] renew until 12/15/08 19:52:10 Kerberos 4 ticket cache: /tmp/tkt502 klist: You have no tickets cached **Showing the kerberos realm is the same as the ssh¹ed hostname [mrow...@ipa01 ~]$ cat /etc/krb5.conf ... [realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf } ... MAT On 12/15/08 5:01 PM, "Russ Allbery" <[email protected]> wrote: > Mathew Rowley <[email protected]> writes: > >> > Well, that would make sense... Looking at the sshd and ssh configurations, >> > it seems to be enabled on both. Is there some configuration I am missing? >> > >> > [r...@ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >> > GSSAPIAuthentication yes >> > [r...@ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >> > # GSSAPI options >> > GSSAPIAuthentication yes >> > GSSAPICleanupCredentials yes > > Your original pasted example showed you ssh'ing to u...@localhost. Unless > you have a key for localhost in your keytab, that probably isn't going to > work. ssh authenticates to the hostname that you type on the command > line. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > -- MAT ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
