Need help with GSSAPI authentication

Douglas E. Engert deengert at anl.gov
Wed May 11 23:09:39 EST 2005 


Simon Gales wrote:

> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. 
> I've also got MIT Kerberos for Windows installed on the client, and Leash
> shows that my tickets ARE forwardable.

We have a similiar setup.
> 
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
> OpenSSH 4.0p1.
> 
> I've created two AD accounts, and extracted keys mapped to
> "host/hostname.domainname.com at REALM.COM" and
> "ssh/hostname.domainname.com at REALM.COM" and installed them into
> /etc/krb5.keytab.

(The ssh/... principal is not needed, as sshd uses the host.)
> 
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine.  But when I "klist" after logging in, I have no tickets.
> 
> So... is this supposed to work?  Should my tickets get forwarded?  If not,
> is there a patch that would make this work?

Yes it should work, but it could be  a number of things:

SSHD is not setting the KRB5CCANME. See if there are ticket caches
created from the session. /tmp/krb5cc_*

Windows AD has an attribute for servers called ok_to_delegate (something
like this)  It sets this on the server ticket, so the client knows if it
is safe to delegate credentials. Your AD admin might have to change this
on the host/... principal

Also see the Windows "ksetup /listRealmFlags". As a test you could set the
Delegate flag for the realm. This would tell the client its OK
to delegate credentials to any host in the realm even if te AD was not sure.

> 
> Any help would be appreciated...  I can provide server-side debug traces
> if it'll help, but I really just need to know if tgt-forwarding is
> supposed to work in OpenSSH 4.0...
> 

Yes itshoulod work. It works in 3.9 from SecureCRT.

> -Simon
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list