Problems with Krb5/GSSAPI patches in FBSD 4.3

[Peter Losher]

On Mon, 21 May 2001, Simon Wilkinson wrote:

> The protocol 2 GSSAPI patch doesn't do password authentication - just
> credentials authentication. If you're wanting to verify Kerberos passwords on
> the server, I'd recommend looking at a different solution.

Is there one that does BOTH?  We use both Krb5 authentication methods for
different uses here, so a solution that handles both would be perfect.

> Things to check:
> 1) On the client side - does your credentials cache contain a valid credential

Yes...

> 2) On the server side - does the default keytab (usually /etc/krb5.keytab)
>     contain a correct host principal - usually host/<fully-qualified-hostname>

Yes, I can kinit, ksu, kadmin on this box just fine.

> 3) Are you using protocol version 2 (2.9p1 should default to this - but you
>    should force it for testing using -2 on the command line)

Yes, RSA/DSA keys work fine, but not Krb5 tickets.

> If its still not working, please mail me a debug trace from both the client
> and the server (use ssh -v and sshd -d), including the arguments you started
> them with. Please let me know how you get on!

Question, do you know if this patch worked with ssh.com SSH2 clients, or
just with OpenSSH clients?  As soon as I know which client to use, I'll
send the traces over... :)

-Peter
-- 
Peter.Losher at nominum.com - [ Systems Admin. | Nominum, Inc. ]