Need help with GSSAPI authentication

Sergio Gelato Sergio.Gelato at
Wed May 11 19:14:04 EST 2005

* Simon Gales [2005-05-10 20:38:05 -0500]:
> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. 
> I've also got MIT Kerberos for Windows installed on the client, and Leash
> shows that my tickets ARE forwardable.
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
> OpenSSH 4.0p1.
> I've created two AD accounts, and extracted keys mapped to
> "host/ at REALM.COM" and
> "ssh/ at REALM.COM" and installed them into
> /etc/krb5.keytab.
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine.  But when I "klist" after logging in, I have no tickets.
> So... is this supposed to work?  Should my tickets get forwarded?  If not,
> is there a patch that would make this work?

That's a SecureCRT question. If you were using the OpenSSH client, you
would have to set the GSSAPIDelegateCredentials option (it's off by
default) in order for your TGT to be forwarded. I have no idea what the
corresponding option for SecureCRT is called.

> Any help would be appreciated...  I can provide server-side debug traces
> if it'll help, but I really just need to know if tgt-forwarding is
> supposed to work in OpenSSH 4.0...

It works for me.

More information about the openssh-unix-dev mailing list