OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Matthias Gerstner
Matthias.Gerstner at nefkom.net
Tue Nov 29 06:44:24 EST 2005
> One thing worth trying: make sure you're using sshd's
> PasswordAuthentication and not ChallengeResponseAuthentication.
>
> You can test this with "ssh -o PreferredAuthentications=password
> yoursever", and if it works you can set PasswordAuthentication=yes
> and ChallengeResponseAuthentication=no in sshd_config to
> require it from your clients. For the gory details see
> http://bugzilla.mindrot.org/show_bug.cgi?id=688
I have already tested configurations with ChallengeResponse enable and
disabled and just tested it again but it makes no difference.
>>-bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)
>
>
> I don't know why bash would care about GSSAPI.
Probably it's some part of a shell script during the login process
> The man page for krb5_kuserok says, in part:
> This function takes a local user name and verifies if principal is
> allowed to log in as that user.
>
> First krb5_kuserok check if there is a local account name username. If
> there isn't, krb5_kuserok returns FALSE.
>
> Then krb5_kuserok checks if principal is the same as user at realm in any of
> the default realms. If that is the case, krb5_kuserok returns TRUE.
Oh there's a man page about it. Good to know.
So the function call is important for security as far as I can see.
>>- OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled
>
>
> The main OpenSSH distribution does not have LDAP support. Is this modified?
> Have you enabled LDAP support in /etc/nsswitch.conf?
It's the stable ebuild from gentoo's portage which is rather heavily
patched. But I tried vanilla OpenSSH 4.2_p1 already to exclude problems
caused from the gentoo patches.
LDAP / Kerberos setup is working good. As I said the login process via
local console using PAM works reliably. Also kinit on the console works
flawless to get tickets and ldapsearch, getent passwd etc. is okay.
Well thank you so far. I see what else I can do.
Matthias Gerstner
More information about the openssh-unix-dev
mailing list