Need help with GSSAPI authentication

David Leonard davidl at
Wed May 11 13:27:58 EST 2005

Hi, Simon.

On Tue, 10 May 2005, Simon Gales wrote:
> So... is this supposed to work?  Should my tickets get forwarded?  If not,
> is there a patch that would make this work?

I can verify that TGT forwarding certainly works between openssh client 
and server. I've been using it extensievly with openssh 4.0p1
linked to a heimdal-based GSSAPI impl.

I see a similar problems here but with PuTTY modified to use SSPI for
gssapi-with-mic. It too is in an AD 2003 realm.

One thing I thought of that could stop delegation is if the target host 
has not been flagged as 'Trusted for delgation' in AD, as SSPI will silently 
ignore the request to delegate when the service ticket doesn't have the 
'ok to delegate' flag. But, kerbtray.exe (from the windows reskit) and 
some ethereal traces show this isn't the problem.

> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine.  But when I "klist" after logging in, I have no tickets.

Same here.
What's interesting is that here the GSSAPI seems to receive from SSPI 
an *empty* set of delegated credentials. So, I see a credential cache 
constructed with the right default UPN, but with zero tickets.

> I've created two AD accounts, and extracted keys mapped to
> "host/ at REALM.COM" and
> "ssh/ at REALM.COM" and installed them into
> /etc/krb5.keytab.

I don't think the ssh/ service key would ever get used. Because you're
getting a shell, it's using host/.

David Leonard
Resource Central software engineer
Vintela Inc.; Brisbane, Australia
VoIP: US: 801-655-2755 
      AU: 07-3023-5133 

More information about the openssh-unix-dev mailing list