[19466] in Kerberos
Re: Forwarding Kerberos Credentials - SSH
daemon@ATHENA.MIT.EDU (Donn Cave)
Mon Jun 23 17:12:45 2003
From: Donn Cave <donn@u.washington.edu>
Date: Mon, 23 Jun 2003 13:48:28 -0700
Message-ID: <donn-2E4E73.13482823062003@nntp2.u.washington.edu>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
In article <00a501c3393f$b366fda0$ad978dca@CDACMUMBAI.CDACINDIA.COM>,
paragg@konark.ncst.ernet.in ("Parag Godkar") wrote:
...
> 9. Now from this telnet/ssh session, I would like the users to
> telnet/ssh to another linux server (or to the same server)
> in the same kerberos domain WITHOUT BEING PROMPTED FOR A
> PASSWORD.
>
> NOW THIS IS WHAT I WANT TO KNOW IF IT IS
> PRACTICABLE OR I AM TRYING TO DO SOMETHING
> IMPOSSIBLE?
Yes! It is possible, and everything up to here leads me to
expect it will work.
But as another followup has already pointed out, the server
apparently has no service key - from the server diagnostics,
> Miscellaneous failure No principal in keytab matches desired name
Someone needs to create a principal host/x.y.z and add its key
to /etc/krb5.keytab on x.y.z (the remote host.)
Remember when testing the client, you must do that as the user
who logged in and has the credentials -- don't do it as root.
> 3. I have the following relevant lines in my sshd_config -
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> #ChallengeResponseAuthentication yes
> KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> GssapiAuthentication yes
> GssapiKeyExchange yes
> GssapiUseSessionCredCache yes
> #AFSTokenPassing no
> #KerberosTgtPassing no
> #PAMAuthenticationViaKbdInt no
>
> and the following relevant lines in my ssh_config -
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # PasswordAuthentication yes
> GssapiAuthentication yes
> GSSAPIDelegateCredentials yes
"KerberosAuthentication yes" alone, in both, should be enough,
something you can easily try if you have further difficulties.
Donn Cave, donn@u.washington.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
