[23983] in Kerberos
Re: Single sign-on with ssh (only unix)
daemon@ATHENA.MIT.EDU (Nathan Ollerenshaw)
Thu Jun 2 23:26:50 2005
Mime-Version: 1.0 (Apple Message framework v730)
In-Reply-To: <EB9D21B7-6A58-406E-94FB-C0924217598A@valuecommerce.co.jp>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <D58619E8-E265-45AF-9E5B-5869E9EAB4E4@valuecommerce.co.jp>
Content-Transfer-Encoding: 7bit
From: Nathan Ollerenshaw <nathan@valuecommerce.co.jp>
Date: Fri, 3 Jun 2005 12:26:02 +0900
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Hi again folks!
I eventually got it working partially, but I have a question.
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome@VALUECOMMERCE.COM
Valid Starting Expires Service Principal
06/03/05 11:56:31 06/03/05 21:56:29 krbtgt/
VALUECOMMERCE.COM@VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRI
06/03/05 11:56:37 06/03/05 21:56:29 host/
monster.sys.intra@VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRT
06/03/05 11:56:43 06/03/05 21:56:29 host/
nuts.sys.intra@VALUECOMMERCE.COM
renew until 06/03/05 11:56:31, FPRT
klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun 3 12:22:46 2005 from nuts.sys.intra
[chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun 3 12:22:40 2005 from monster.sys.intra
[chrome@nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun 3 12:23:21 2005 from 10.0.13.24
[chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
Permission denied (gssapi-with-mic).
[chrome@monster.sys.intra ~]$
That should work, right? I should be able to go workstation ->
monster -> nuts -> monster -> nuts -> monster -> etc
right?
serenity:~ chrome$ kinit -f
Please enter the password for chrome@VALUECOMMERCE.COM:
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: chrome@VALUECOMMERCE.COM
Valid Starting Expires Service Principal
06/03/05 12:24:57 06/03/05 22:24:54 krbtgt/
VALUECOMMERCE.COM@VALUECOMMERCE.COM
renew until 06/03/05 12:24:57, FPRI
klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun 3 12:24:39 2005 from 10.0.13.24
[chrome@monster.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500_wG5550
Default principal: chrome@VALUECOMMERCE.COM
Valid starting Expires Service principal
06/03/05 12:25:17 06/03/05 22:24:54 krbtgt/
VALUECOMMERCE.COM@VALUECOMMERCE.COM
renew until 06/03/05 12:24:57, Flags: FfPRT
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
Last login: Fri Jun 3 12:23:24 2005 from monster.sys.intra
[chrome@nuts.sys.intra ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: chrome@VALUECOMMERCE.COM
Valid starting Expires Service principal
06/03/05 11:39:57 06/04/05 11:39:57 krbtgt/
VALUECOMMERCE.COM@VALUECOMMERCE.COM
renew until 06/03/05 11:39:57, Flags: FRI
06/03/05 11:40:03 06/04/05 11:39:57 host/
monster.sys.intra@VALUECOMMERCE.COM
renew until 06/03/05 11:39:57, Flags: FRT
Kerberos 4 ticket cache: /tmp/tkt5002
klist: You have no tickets cached
[chrome@nuts.sys.intra ~]$ ssh monster.sys.intra
Last login: Fri Jun 3 12:25:17 2005 from 10.0.13.24
[chrome@monster.sys.intra ~]$ klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[chrome@monster.sys.intra ~]$
It seems that after a few hops, i lose the ticket forwarding?
Regards,
Nathan.
--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.
Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
mailto:nathan@valuecommerce.co.jp
"The man who carries a cat by the tail learns something
that can be learned in no other way." - Mark Twain
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
