What does "ssh -v usern...@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least.
//chris ----- Original Message ----- From: "Mathew Rowley" <[email protected]> To: "Russ Allbery" <[email protected]> Cc: [email protected] Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi Subject: Re: Kerberos auth based on ticket Ok, using the correct hostname, the same thing happens: [r...@ipa01 ~]# ssh mrow...@`hostname` [email protected]'s password: Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain **Trying to log in with a valid ticket, but asks for password [mrow...@ipa01 ~]$ ssh mrow...@`hostname` [email protected]'s password: **Shows that there is a ticket [mrow...@ipa01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ Default principal: [email protected] Valid starting Expires Service principal 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/[email protected] renew until 12/15/08 19:52:10 Kerberos 4 ticket cache: /tmp/tkt502 klist: You have no tickets cached **Showing the kerberos realm is the same as the ssh¹ed hostname [mrow...@ipa01 ~]$ cat /etc/krb5.conf ... [realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf } ... MAT On 12/15/08 5:01 PM, "Russ Allbery" <[email protected]> wrote: > Mathew Rowley <[email protected]> writes: > >> > Well, that would make sense... Looking at the sshd and ssh configurations, >> > it seems to be enabled on both. Is there some configuration I am missing? >> > >> > [r...@ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >> > GSSAPIAuthentication yes >> > [r...@ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >> > # GSSAPI options >> > GSSAPIAuthentication yes >> > GSSAPICleanupCredentials yes > > Your original pasted example showed you ssh'ing to u...@localhost. Unless > you have a key for localhost in your keytab, that probably isn't going to > work. ssh authenticates to the hostname that you type on the command > line. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > -- MAT ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
