[30536] in Kerberos
Re: Kerberos auth based on ticket
daemon@ATHENA.MIT.EDU (Mathew Rowley)
Mon Dec 15 19:57:12 2008
Date: Mon, 15 Dec 2008 17:55:51 -0700
From: Mathew Rowley <mathew_rowley@cable.comcast.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <C56C4AA7.4F7C%mathew_rowley@cable.comcast.com>
In-Reply-To: <87wse1xa2a.fsf@windlord.stanford.edu>
Mime-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Ok, using the correct hostname, the same thing happens:
[root@ipa01 ~]# ssh mrowley@`hostname`
mrowley@ipa01.security.lab.comcast.com's password:
Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain
**Trying to log in with a valid ticket, but asks for password
[mrowley@ipa01 ~]$ ssh mrowley@`hostname`
mrowley@ipa01.security.lab.comcast.com's password:
**Shows that there is a ticket
[mrowley@ipa01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ
Default principal: mrowley@IPA.COMCAST.COM
Valid starting Expires Service principal
12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM@IPA.COMCAST.COM
renew until 12/15/08 19:52:10
Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached
**Showing the kerberos realm is the same as the ssh¹ed hostname
[mrowley@ipa01 ~]$ cat /etc/krb5.conf
...
[realms]
IPA.COMCAST.COM = {
kdc = ipa01.security.lab.comcast.com:88
admin_server = ipa01.security.lab.comcast.com:749
default_domain = security.lab.comcast.com
database_module = openldap_ldapconf
}
...
MAT
On 12/15/08 5:01 PM, "Russ Allbery" <rra@stanford.edu> wrote:
> Mathew Rowley <mathew_rowley@cable.comcast.com> writes:
>
>> > Well, that would make sense... Looking at the sshd and ssh configurations,
>> > it seems to be enabled on both. Is there some configuration I am missing?
>> >
>> > [root@ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config
>> > GSSAPIAuthentication yes
>> > [root@ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config
>> > # GSSAPI options
>> > GSSAPIAuthentication yes
>> > GSSAPICleanupCredentials yes
>
> Your original pasted example showed you ssh'ing to user@localhost. Unless
> you have a key for localhost in your keytab, that probably isn't going to
> work. ssh authenticates to the hostname that you type on the command
> line.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
--
MAT
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
