Ken Aaker wrote:
Thanks for the clues, I am probably missing the host principal. I did
try various settings of the GSSAPI ssh config parameters, but they
didn't seem to change the behavior. For the host principle, do I need to
have those in keytabs?
The GSS config params to ssh won't do a thing until you install the host key
on the server side. Mine is in krb5.keytab, in the same directory as
krb5.conf (/etc/kerberosV for me). This is heimdal on OpenBSD, but linux
and/or MIT should be similar.
If it still won't work, try "ssh -v" to see whether it's attempting GSS
authentication. When it works you'll see something like this:
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
I've got some other bits in my krb5.conf but I don't know if they are really
needed:
[libdefaults]
ticket_lifetime = 36000
default_realm = CITI.UMICH.EDU
forwardable = true
[appdefaults]
afs-use-524 = 2b
no-addresses = true
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
