Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)

From: Sensei (senseiwa_at_tin.it)
Date: 10/14/05

• Next message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Previous message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• In reply to: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Next in thread: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Reply: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 14 Oct 2005 21:29:40 +0200

On 2005-10-14 21:05:01 +0200, stevendavidruiz@gmail.com said:
>
> Miscellaneous failure\nNo principal in keytab matches desired name

I will try to help you.

Question: do you have your keytabs correctly set? You must have a
principal host/host.name@REALM on each side: host/server (on the
server) and host/client (on the client of course).

The most important things on sshd_config side are:

UsePrivilegeSeparation no
PasswordAuthentication yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes
UsePAM yes

On the client side, ssh_config:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

And of course, the KVNO *MUST* be the same on keytab and kerberos db.

-- 
Sensei <senseiwa@mac.com>
The difference between stupidity and genius is that genius has its 
limits. (A. Einstein)

• Next message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Previous message: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• In reply to: stevendavidruiz_at_gmail.com: "Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Next in thread: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Reply: stevendavidruiz_at_gmail.com: "Re: Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Cant get kerberos5/afs working well ... clients based on gentoo (ssh version 3.8p1). ... libpam-openafs-session && aklog (the debian packages). ... KerberosAuthentication yes ... GSSAPIAuthentication yes ... (comp.security.ssh) Re: SSH Private/Public Key Authentication ... > # RhostsRSAAuthentication and HostbasedAuthentication ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint