Re: SSH-2.3.0 and Kerberos5

Mon, 18 Jun 2001 08:26:48 -0700 

On Mon Jun 18 06:04:04 2001, Carl J. Nobile said:

> I found SSHing to my localhost didn't work very well, probably because I
> don't have it configured as a Kerberos server. I have no problem logging
> into a remote machine with SSH 2.4.0 without using a password as long as
> I do a kinit first. You are correct about the option change, I just
> changed my version of the source on SSH-1.4.0, but that's not necessary.

Carl,

If by 'configured as a Kerberos server', you mean having a host principal
registered for my local host and the appropriate keytab file installed, then
I already do.  In fact, when SSH Kerberos password authentication succeeds,
I can see in my KDC log that a credential for 'host/<local FQDN> is being
successfully acquired.  Yet TGT authentication still doesn't work;  that is,
I'm still prompted for a password (Kerberos or Unix) even when a TGT is
sitting in my credentials cache.  (And I did check that the TGT is for the
same user that I'm trying to log in as).

It's hard for me to test with a remote host, because I don't have any other
hosts that are running SSH with Kerberos support compiled in.

I have a feeling I may be overlooking some SSH configuration option, but
I don't know what that might be.

Thanks.

Mike

> On 16-Jun-01 Mike Friedman wrote:
>> 
>> What I find is that Kerberos password authentication (ie, 'proxy' auth)
>> works -- sshd accepts either my Kerberos passphrase or my Unix password
>> -- but I can't get Kerberos credential authentication to work.  With the
>> above statement in my sshd2_config, even if I have first obtained a TGT, I'm
>> still prompted for a password and my Kerberos or Unix passwords do work.
>> It seems my credential is just ignored.  In my test, the client and server
>> are the same machine and I made sure the above configuration appears in
>> both sshd2_config and ssh2_config.

----------------------------------------------------------------------------
Mike Friedman                             [EMAIL PROTECTED]
System & Network Security                 +1-510-642-1410
University of California at Berkeley      http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------

Reply via email to