Need help with GSSAPI authentication

Douglas E. Engert deengert at
Wed May 11 23:19:30 EST 2005

P.S. Since you have Leash, tell the SecureCRT to use the
MIT Kerberos rather then SSPI. I dont believe the MIT
code looks at the ok_to_delegate flag.

Simon Gales wrote:

> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. 
> I've also got MIT Kerberos for Windows installed on the client, and Leash
> shows that my tickets ARE forwardable.
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
> OpenSSH 4.0p1.
> I've created two AD accounts, and extracted keys mapped to
> "host/ at REALM.COM" and
> "ssh/ at REALM.COM" and installed them into
> /etc/krb5.keytab.
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine.  But when I "klist" after logging in, I have no tickets.
> So... is this supposed to work?  Should my tickets get forwarded?  If not,
> is there a patch that would make this work?
> Any help would be appreciated...  I can provide server-side debug traces
> if it'll help, but I really just need to know if tgt-forwarding is
> supposed to work in OpenSSH 4.0...
> -Simon
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list