SSH and Kerberos usage

[Douglas E Engert]

On 10/20/2015 11:18 PM, Sandeep Umesh wrote:
> Hello
>
> I am not sure if this has already been discussed over time, but I have a
> situation where I am not able to ssh with kerberos principal name.
>
> Here is the scenario -
> currently I am using openSSH 6.0 version and I have set the following -
> in sshd_config file -
>          KerberosAuthentication yes
>          GSSAPIAuthentication yes
>          GSSAPICleanupCredentials yes
> in ssh_config file -
>          GSSAPIAuthentication yes
>          GSSAPIDelegateCredentials yes
>
> After I obtain the kerberos TGT using - kinit user_name and try to login
> as ssh user_name at hostname, it works fine and I am able to login without a
> password prompt .
> However, if I try to login as ssh user_name at realm_name@hostname then I am
> prompted for the password.

I don't think user at realm@hostname will work.

SSh deals with unix usernames, Kerberos deals with users in realms.
In the general case, you could have username on the client and different
remote username on the server, and principal that does not match either.

Are both the client and server in the same realm?
If the username on the server is not the same as the principal name, you may
need the Kerberos ~/.k5login file in the home directory of the user on the server.

>
> I think the principal name to local name conversation is not happening
> properly which I am yet to verify. But is there any other solution
> available for this?
> Thanks
>
> Regards
> Sandeep
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>