openSSH GSSAPI Host Keytab Debug

Household Cang canghousehold at aol.com
Wed Jun 11 16:42:17 AEST 2025


Hello,

I am trying to use Kerberos ticket from one AD-joined machine to login to another AD-joined machine without passwords.

I passed -o GSSAPIAuthentication=yes to ssh on client and export KRB5_TRACE=/dev/stdout to print out the debug message. It shows me Creating authenticator for user at domain.net -> host/hostname.domain at domain.realm. All good there.

On the server side, I have GSSAPIAuthentication=yes in sshd_config, DEBUG3 set, and there keeps an error message of debug1: No credentials were supplied, or the credentials were unavailable or inaccessible.
No key table entry found matching host/hostname.domain@(empty ?)

I am confused as to why sshd decides to drop the @domain.realm part. There is no host/hostname.domain@ entries in klist, so is there a way to debug or force the sshd to honor what the client has sent?

Many thanks.
Lucas.


More information about the openssh-unix-dev mailing list