Question about GSSAPI with OpenSSH 4.2p1

Sergio Gelato Sergio.Gelato at astro.su.se
Sat Nov 5 00:34:30 EST 2005


* Jason.C.Burns at wellsfargo.com [2005-11-03 17:59:34 -0600]:
> Hey all, perhaps someone might be able to shed a little light on this
> problem.  Nothing I find in books and groups seem to address the
> problem.  I'm trying to set up a series of connections with ssh that
> authenticate through GSSAPI.  However, it seems that the credentials are
> not getting passed.
[...]
> debug1: Got no client credentials
[...]
> What does 'Got no client credentials' mean?  The client is sending them,
> so where do they go?

Are you sure that the client is actually sending them? The credential
delegation is buried inside the GSSAPI library, all the OpenSSH code
does is to set the "delegate" flag when initialising the security
context. If the library is unable to honour that flag, for example
because the TGT is not forwardable, then no credential will be
forwarded.

> Checking the ticket cache on the client...

Good idea, but...
>
> # klist
> Credentials cache: FILE:/tmp/krb5cc_xxx
>         Principal: <user>/<domain>@<realm>
>  
>   Issued           Expires          Principal
> Nov  3 17:36:40  Nov  4 03:36:40  krbtgt/domain at realm

You need to inspect the ticket flags as well. "klist -f" usually shows them
(at least in the versions of klist I'm familiar with).

> Nov  3 17:37:52  Nov  4 03:36:40  host/<machine>@<realm>
>  
> So it's even getting the ticket for the machine it is trying to go to
> using the tgt from the kinit.

That's not a forwarded ticket, however. The forwarded ticket would not
be stored in the client-side credentials cache (it isn't valid for the
client's IP address, only for the server's). You can find out whether it
is being issued by reading the KDC's logs or by examining the packets
exchanged between the GSSAPI library (in the ssh client) and the KDC.

> Any ideas?  I'm starting to bang my head against the wall here.

I'd guess that you forgot to ask for a forwardable TGT at kinit time.
There are other possibilities (e.g., a bug in your GSSAPI library; you
didn't tell us which version you are using) but hopefully they don't
apply to your case.




More information about the openssh-unix-dev mailing list