Need help with GSSAPI authentication

Simon Gales sgales at firewall.simonandchristy.com
Wed May 11 11:38:05 EST 2005


Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. 
I've also got MIT Kerberos for Windows installed on the client, and Leash
shows that my tickets ARE forwardable.

Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
OpenSSH 4.0p1.

I've created two AD accounts, and extracted keys mapped to
"host/hostname.domainname.com at REALM.COM" and
"ssh/hostname.domainname.com at REALM.COM" and installed them into
/etc/krb5.keytab.

I can login to the server just fine - GSSAPI-with-mic authentication works
fine.  But when I "klist" after logging in, I have no tickets.

So... is this supposed to work?  Should my tickets get forwarded?  If not,
is there a patch that would make this work?

Any help would be appreciated...  I can provide server-side debug traces
if it'll help, but I really just need to know if tgt-forwarding is
supposed to work in OpenSSH 4.0...

-Simon




More information about the openssh-unix-dev mailing list