openSSH GSSAPI Host Keytab Debug
Household Cang
canghousehold at aol.com
Wed Jun 11 16:42:17 AEST 2025
Hello,
I am trying to use Kerberos ticket from one AD-joined machine to login to another AD-joined machine without passwords.
I passed -o GSSAPIAuthentication=yes to ssh on client and export KRB5_TRACE=/dev/stdout to print out the debug message. It shows me Creating authenticator for user at domain.net -> host/hostname.domain at domain.realm. All good there.
On the server side, I have GSSAPIAuthentication=yes in sshd_config, DEBUG3 set, and there keeps an error message of debug1: No credentials were supplied, or the credentials were unavailable or inaccessible.
No key table entry found matching host/hostname.domain@(empty ?)
I am confused as to why sshd decides to drop the @domain.realm part. There is no host/hostname.domain@ entries in klist, so is there a way to debug or force the sshd to honor what the client has sent?
Many thanks.
Lucas.
More information about the openssh-unix-dev
mailing list