gssapi-with-mic and Win2K KDC?
cawlfiel
cawlfiel at austin.ibm.com
Thu Jun 3 06:16:04 EST 2004
I was experiencing a very similar-sounding problem. My client/server
debug outputs didn't even show Kerberos or GSSAPI being tried. When we
were testing 3.7.1p2, we didn't have to set any Kerberos/GSSAPI options
on the client's /etc/ssh/ssh_config file... Kerberos auth worked fine
as-is.
Kerberos auth wasn't working for us on 3.8.1p1, so we tried to set
GSSAPIAuthentication to yes on the 3.8.1p1 client. Even though we had
#defined both KRB5 and GSSAPI, the 3.8.1p1 client kept reporting
GSSAPIAuthentication as an unsupported option.
I went into readconf.c and changed:
if (options->gss_authentication == -1)
options->gss_authentication = 0;
to
if (options->gss_authentication == -1)
options->gss_authentication = 1;
and after that, Kerberos works like a charm. Maybe that'll solve the
problem you're experiencing as well?
-Kevin
Andreas wrote:
>
> On Tue, Jun 01, 2004 at 03:42:43PM -0700, Aaron Grewell wrote:
> > Hmm. One of the things I noticed was that running sshd in debug mode
> > "-D -ddd" and watching a connection attempt did not show anything about
> > Kerberos or GSSAPI. I'm not sure what that means. I ran ldd against
> > sshd and it is linked against my kerb libraries, so I'm not sure how to
> > proceed.
>
> You have to enable gssapi on the server, it's not on by default afaik,
> not even on the client (!). Check for "GSSAPIAuthentication yes" on both
> the server and the client.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
-----------------------
Kevin Cawlfield
AIX IP Security
cawlfiel at austin.ibm.com
-----------------------
More information about the openssh-unix-dev
mailing list