[30548] in Kerberos
Re: Kerberos auth based on ticket
daemon@ATHENA.MIT.EDU (Chris Hoy Poy)
Tue Dec 16 11:16:18 2008
Date: Tue, 16 Dec 2008 09:09:28 +0800 (GMT+08:00)
From: Chris Hoy Poy <kryanth@gopc.net>
To: Mathew Rowley <mathew_rowley@cable.comcast.com>
Message-ID: <15164409.184041229389768278.JavaMail.root@mailstore01.gopc.net>
In-Reply-To: <C56C4AA7.4F7C%mathew_rowley@cable.comcast.com>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
What does "ssh -v username@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least.
//chris
----- Original Message -----From: "Mathew Rowley" <mathew_rowley@cable.comcast.com>To: "Russ Allbery" <rra@stanford.edu>Cc: kerberos@mit.eduSent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / UrumqiSubject: Re: Kerberos auth based on ticket
Ok, using the correct hostname, the same thing happens:
[root@ipa01 ~]# ssh mrowley@`hostname`mrowley@ipa01.security.lab.comcast.com's password:Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain
**Trying to log in with a valid ticket, but asks for password[mrowley@ipa01 ~]$ ssh mrowley@`hostname`mrowley@ipa01.security.lab.comcast.com's password:
**Shows that there is a ticket[mrowley@ipa01 ~]$ klistTicket cache: FILE:/tmp/krb5cc_502_WaiNgJDefault principal: mrowley@IPA.COMCAST.COM
Valid starting Expires Service principal12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM@IPA.COMCAST.COM renew until 12/15/08 19:52:10
Kerberos 4 ticket cache: /tmp/tkt502klist: You have no tickets cached
**Showing the kerberos realm is the same as the ssh¹ed hostname[mrowley@ipa01 ~]$ cat /etc/krb5.conf...[realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf }...
MAT
On 12/15/08 5:01 PM, "Russ Allbery" <rra@stanford.edu> wrote:
> Mathew Rowley <mathew_rowley@cable.comcast.com> writes:> >> > Well, that would make sense... Looking at the sshd and ssh configurations,>> > it seems to be enabled on both. Is there some configuration I am missing?>> >>> > [root@ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config>> > GSSAPIAuthentication yes>> > [root@ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config>> > # GSSAPI options>> > GSSAPIAuthentication yes>> > GSSAPICleanupCredentials yes> > Your original pasted example showed you ssh'ing to user@localhost. Unless> you have a key for localhost in your keytab, that probably isn't going to> work. ssh authenticates to the hostname that you type on the command> line.> > --> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>>
-- MAT________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
