Need help with GSSAPI authentication
Sergio Gelato
Sergio.Gelato at astro.su.se
Wed May 11 19:14:04 EST 2005
* Simon Gales [2005-05-10 20:38:05 -0500]:
> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11.
> I've also got MIT Kerberos for Windows installed on the client, and Leash
> shows that my tickets ARE forwardable.
>
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
> OpenSSH 4.0p1.
>
> I've created two AD accounts, and extracted keys mapped to
> "host/hostname.domainname.com at REALM.COM" and
> "ssh/hostname.domainname.com at REALM.COM" and installed them into
> /etc/krb5.keytab.
>
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine. But when I "klist" after logging in, I have no tickets.
>
> So... is this supposed to work? Should my tickets get forwarded? If not,
> is there a patch that would make this work?
That's a SecureCRT question. If you were using the OpenSSH client, you
would have to set the GSSAPIDelegateCredentials option (it's off by
default) in order for your TGT to be forwarded. I have no idea what the
corresponding option for SecureCRT is called.
> Any help would be appreciated... I can provide server-side debug traces
> if it'll help, but I really just need to know if tgt-forwarding is
> supposed to work in OpenSSH 4.0...
It works for me.
More information about the openssh-unix-dev
mailing list