[32132] in Kerberos
Using OpenSSH with multiple Kerberos principals
daemon@ATHENA.MIT.EDU (Jiawen Chen)
Tue Mar 9 08:08:20 2010
From: Jiawen Chen <jiawen@mit.edu>
Date: Tue, 9 Mar 2010 02:01:27 -0500
Message-Id: <3B64A3FC-9C37-4F3B-9C6C-E7AFB1347BDE@mit.edu>
To: kerberos@mit.edu
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/mixed; boundary="===============1225712379=="
Errors-To: kerberos-bounces@mit.edu
--===============1225712379==
Content-Type: multipart/signed; boundary=Apple-Mail-1--99404682;
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail-1--99404682
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
I apologize if this is the wrong list on which to ask help. If =
that's the case, please send me a pointer to the right list (perhaps the =
OpenSSH list?).
I have two Kerberos principals, jiawen@ATHENA.MIT.EDU and =
jiawen@CSAIL.MIT.EDU, which I like to use with OpenSSH to connect log in =
to dialup servers at athena and csail, respecitvely, without passwords. =
I'm using OpenSSH 5.2p1 on Mac OS X 10.6.
My .ssh/config is set so that Kerberos is being used:
$ cat .ssh/config
ForwardX11 yes
ForwardAgent yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
And when used individually, I can log into athena and csail =
without passwords:
$ kdestroy -A
$ kinit jiawen@ATHENA.MIT.EDU
$ klist -A
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jiawen@ATHENA.MIT.EDU
Valid Starting Expires Service Principal
03/09/10 01:56:42 03/09/10 11:56:42 =
krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
renew until 03/16/10 02:56:42
$ ssh linux.dialup.mit.edu
<I can log in without a password>
Similarly, for login.csail.mit.edu. However, if I acquire both =
principals, OpenSSH appears to use only the latest one:
$ kinit jiawen@CSAIL.MIT.EDU
$ klist
Kerberos 5 ticket cache: 'API:3'
Default principal: jiawen@CSAIL.MIT.EDU
Valid Starting Expires Service Principal
03/09/10 01:58:15 03/09/10 11:58:14 krbtgt/CSAIL.MIT.EDU@CSAIL.MIT.EDU
renew until 03/16/10 02:58:15
$ klist -A
Kerberos 5 ticket cache: 'API:3'
Default principal: jiawen@CSAIL.MIT.EDU
Valid Starting Expires Service Principal
03/09/10 01:58:15 03/09/10 11:58:14 krbtgt/CSAIL.MIT.EDU@CSAIL.MIT.EDU
renew until 03/16/10 02:58:15
=
--------------------------------------------------------------------------=
-----
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jiawen@ATHENA.MIT.EDU
Valid Starting Expires Service Principal
03/09/10 01:56:42 03/09/10 11:56:42 =
krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
renew until 03/16/10 02:56:42
Once the default principal has been set to the CSAIL one, I can no =
longer access linux.dialup.mit.edu without a password. Is there a way =
to make OpenSSH "search" for the appropriate one? Or is there a magic =
command to change the default principal, so I can script my way around =
the problem?
Thanks,
Jiawen=
--Apple-Mail-1--99404682--
--===============1225712379==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1225712379==--
