Need help with GSSAPI authentication
David Leonard
davidl at vintela.com
Wed May 11 13:27:58 EST 2005
Hi, Simon.
On Tue, 10 May 2005, Simon Gales wrote:
> So... is this supposed to work? Should my tickets get forwarded? If not,
> is there a patch that would make this work?
I can verify that TGT forwarding certainly works between openssh client
and server. I've been using it extensievly with openssh 4.0p1
linked to a heimdal-based GSSAPI impl.
I see a similar problems here but with PuTTY modified to use SSPI for
gssapi-with-mic. It too is in an AD 2003 realm.
One thing I thought of that could stop delegation is if the target host
has not been flagged as 'Trusted for delgation' in AD, as SSPI will silently
ignore the request to delegate when the service ticket doesn't have the
'ok to delegate' flag. But, kerbtray.exe (from the windows reskit) and
some ethereal traces show this isn't the problem.
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine. But when I "klist" after logging in, I have no tickets.
Same here.
What's interesting is that here the GSSAPI seems to receive from SSPI
an *empty* set of delegated credentials. So, I see a credential cache
constructed with the right default UPN, but with zero tickets.
> I've created two AD accounts, and extracted keys mapped to
> "host/hostname.domainname.com at REALM.COM" and
> "ssh/hostname.domainname.com at REALM.COM" and installed them into
> /etc/krb5.keytab.
I don't think the ssh/ service key would ever get used. Because you're
getting a shell, it's using host/.
d
--
David Leonard
Resource Central software engineer
Vintela Inc.; Brisbane, Australia
VoIP: US: 801-655-2755
AU: 07-3023-5133
More information about the openssh-unix-dev
mailing list