Question about GSSAPI with OpenSSH 4.2p1

Douglas E. Engert deengert at anl.gov
Sat Nov 5 01:50:45 EST 2005 

An Ethereal trace on the client would show the Kerberos activity th the KDC
and to the sshd.

Jason.C.Burns at wellsfargo.com wrote:
> Hey all, perhaps someone might be able to shed a little light on this
> problem.  Nothing I find in books and groups seem to address the
> problem.  I'm trying to set up a series of connections with ssh that
> authenticate through GSSAPI.  However, it seems that the credentials are
> not getting passed.
>  
>>From the client..
>  
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
>  
> So we can see that the client is configured to send the tickets
> across...
>  
>>From the Server...
>  
> debug1: userauth-request for user <user>/<domain> service ssh-connection
> method gssapi-with-mic
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> Postponed gssapi-with-mic for <user>/<domain> from xxxx port x ssh2
> debug1: Got no client credentials
> Failed gssapi-with-mic for <user>/<domain> from xxxxx port x ssh2
> debug1: userauth-request for user <user>/<domain> service ssh-connection
> method keyboard-interactive
>  
> What does 'Got no client credentials' mean?  The client is sending them,
> so where do they go?
>  
> Checking the ticket cache on the client...
>  
> # klist
> Credentials cache: FILE:/tmp/krb5cc_xxx
>         Principal: <user>/<domain>@<realm>
>  
>   Issued           Expires          Principal
> Nov  3 17:36:40  Nov  4 03:36:40  krbtgt/domain at realm
> Nov  3 17:37:52  Nov  4 03:36:40  host/<machine>@<realm>
>  
> So it's even getting the ticket for the machine it is trying to go to
> using the tgt from the kinit.
>  
> Any ideas?  I'm starting to bang my head against the wall here.
>  
> Thanks!
>  
> Jason
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list