[31782] in Kerberos
Re: Kerberos tickets, SSH public key auth, AFS tokens
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Wed Dec 16 22:21:42 2009
Message-ID: <4B29A38D.3090405@stage-infinity.com>
Date: Wed, 16 Dec 2009 22:20:45 -0500
From: Jeff Blaine <jblaine@stage-infinity.com>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87iqc6z8na.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/16/2009 8:33 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine@stage-infinity.com> writes:
>
>> sshd[20489]: [ID 237248 auth.debug] (pam_afs_session):
>> pam_sm_open_session: entry (0x0)
>> sshd[20489]: [ID 237248 auth.debug] (pam_afs_session): skipping tokens,
>> no Kerberos ticket cache
>
> Hm, are you sure that tickets are being forwarded? In other words, after
> login, if you run klist, do you have a ticket cache?
>
> (It's expected that pam-krb5 will do nothing in the case of GSSAPI
> authentication.)
>
Yup, they're there, just no tokens. I even tried a
pam_krb5RA2.so and pam_afs_session2.so built against
the Sun kerberos instead of our local MIT kerberos
for kicks. Same result.
~:faron> kdestroy
~:faron> logout
Connection to faron closed.
~:cairo> /usr/bin/ssh -o "GSSAPIDelegateCredentials yes" faron
~:faron> klist
Ticket cache: FILE:/tmp/krb5cc_26560
Default principal: jblaine@RCF.FOO.ORG
Valid starting Expires Service principal
12/16/09 22:18:51 12/23/09 19:05:33 krbtgt/RCF.FOO.ORG@RCF.FOO.ORG
renew until 12/23/09 19:05:33
Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:faron>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
