openSSH GSSAPI Host Keytab Debug
Alexander Bokovoy
ab at samba.org
Wed Jun 11 22:56:13 AEST 2025
On Срд, 11 чэр 2025, Household Cang via openssh-unix-dev wrote:
> Hello,
>
> I am trying to use Kerberos ticket from one AD-joined machine to login
> to another AD-joined machine without passwords.
>
> I passed -o GSSAPIAuthentication=yes to ssh on client and export
> KRB5_TRACE=/dev/stdout to print out the debug message. It shows me
> Creating authenticator for user at domain.net ->
> host/hostname.domain at domain.realm. All good there.
>
> On the server side, I have GSSAPIAuthentication=yes in sshd_config,
> DEBUG3 set, and there keeps an error message of debug1: No credentials
> were supplied, or the credentials were unavailable or inaccessible.
> No key table entry found matching host/hostname.domain@(empty ?)
>
> I am confused as to why sshd decides to drop the @domain.realm part.
> There is no host/hostname.domain@ entries in klist, so is there a way
> to debug or force the sshd to honor what the client has sent?
At least MIT Kerberos uses @ without realm to indicate that realm is
currently not specified or will be discovered. It would help to see the
full trace. You can obfuscate hostname and realm somehow but in a
consistent way.
Another thing to check is the content of the keytab used. Kerberos names
are case-sensitive, both principal names and realm names, so there might
be differences with the keys in the keytab. Can you show output of
`klist -k` (assuming it is the default /etc/krb5.keytab)?
--
/ Alexander Bokovoy
More information about the openssh-unix-dev
mailing list