david l goodrich wrote: > >> I get 3 "debug2: we sent a gssapi-with-mic packet, wait for reply" >> messages, then it fails over to password. The keytab files are identical >> on the machines, and GSSAPIAuthentication is turned on in sshd_config on >> both. Still something to do with the keytab on "ralph"? >> > > Ralph should have the principal host/ralph.example.com in its keytab, and > mars should have host/mars.example.com. You don't want to use the same > host principal across multiple hosts. > --david > > Hmmm.... Now I'm confused again. Maybe my mental model is screwed up. I was assuming that the host principles listed in the keytab on the destination system were being used to verify the identity of the incoming client host, sort of like ssh's known_hosts? But then, how does the incoming system choose it's principle identity?
Ken Here's the klist output of my /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/[EMAIL PROTECTED] 3 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] 2 host/[EMAIL PROTECTED] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
