Does your ssh_config file have: GSSAPIDelegateCredentials yes or you need to specify on the command line. -o
Andrei Maslennikov wrote: > > Hi Douglas, and thanks for your comment. > > On Mon, 26 Jan 2004, Douglas E. Engert wrote: > > > > > 1) ssh to host A, login with K5 password (and obtain a PAG-based token) > > > > Was the ticket marked forwardable? Can you set with Hiemdal in the > > krb5.conf file a default that tickets should be forwardable? > > What does klist -f show on host A? > > Yes, tickets are set to be forwardable in the [libdefaults] section: > > <[EMAIL PROTECTED] ~>klist -f > Credentials cache: FILE:/tmp/krb5cc_k20844 > Principal: [EMAIL PROTECTED] > > Issued Expires Flags Principal > Jan 26 20:34:02 Jan 27 03:14:02 FI > krbtgt/[EMAIL PROTECTED] > Jan 26 20:34:02 Jan 27 03:14:02 [EMAIL PROTECTED] > Jan 26 20:34:31 Jan 27 03:14:02 > host/[EMAIL PROTECTED] > > V4-ticket file: /tmp/tkt401 > klist: No ticket file (tf_util) > > > > > > > 2) from host A, ssh to host B, login w/o pw (this time with GSSAPI) > > > > GSSAPI should have delegated a K5 credential, and set the KRB5CCNAME > > on host B. > > This does not occur, however GSSAPI lets me in (without creds): > ...... > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,gssapi,password,keyboard-interactive > debug1: Next authentication method: gssapi > debug1: Authentication succeeded (gssapi). <<<<<<<<<<<<<<<<<< > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > Could not chdir to home directory /afs/ing/system/hq/ing: Permission > denied > > > > > > 3) inside host B: no K5 creds forwarded from host A, no token. > > > > We can do the above > > ..That's what the "sshd -d" tells me: > > ..... > debug1: userauth-request for user ing service ssh-connection method gssapi > debug1: attempt 1 failures 1 > Postponed gssapi for ing from 151.100.85.253 port 44184 ssh2 > debug1: Got no client credentials > Authorized to ing, krb5 principal [EMAIL PROTECTED] (krb5_kuserok) > Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2 <<<<<<<<<<< > Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2 > ..... > ..... > debug1: session_input_channel_req: session 0 req shell > debug1: temporarily_use_uid: 401/401 (e=401/401) > debug1: No credentials stored <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > debug1: restore_uid: (unprivileged) > ... > > Inside the host B: no credentials at all: > > [EMAIL PROTECTED] /]$ /usr/heimdal/bin/klist > klist: No ticket file: /tmp/krb5cc_401 > > V4-ticket file: /tmp/tkt401 > klist: No ticket file (tf_util) > > THERE SHOULD BE SOMETHING ELSE.... -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
