Re: Question about GSSAPI with OpenSSH 4.2p1

An Ethereal trace on the client would show the Kerberos activity th the KDC
and to the sshd.

[email]Jason.C.Burns@wellsfargo.com[/email] wrote:[color=blue]
> Hey all, perhaps someone might be able to shed a little light on this
> problem. Nothing I find in books and groups seem to address the
> problem. I'm trying to set up a series of connections with ssh that
> authenticate through GSSAPI. However, it seems that the credentials are
> not getting passed.
>[color=green]
>>From the client..[/color]
>
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
>
> So we can see that the client is configured to send the tickets
> across...
>[color=green]
>>From the Server...[/color]
>
> debug1: userauth-request for user <user>/<domain> service ssh-connection
> method gssapi-with-mic
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> Postponed gssapi-with-mic for <user>/<domain> from xxxx port x ssh2
> debug1: Got no client credentials
> Failed gssapi-with-mic for <user>/<domain> from xxxxx port x ssh2
> debug1: userauth-request for user <user>/<domain> service ssh-connection
> method keyboard-interactive
>
> What does 'Got no client credentials' mean? The client is sending them,
> so where do they go?
>
> Checking the ticket cache on the client...
>
> # klist
> Credentials cache: FILE:/tmp/krb5cc_xxx
> Principal: <user>/<domain>@<realm>
>
> Issued Expires Principal
> Nov 3 17:36:40 Nov 4 03:36:40 krbtgt/domain@realm
> Nov 3 17:37:52 Nov 4 03:36:40 host/<machine>@<realm>
>
> So it's even getting the ticket for the machine it is trying to go to
> using the tgt from the kinit.
>
> Any ideas? I'm starting to bang my head against the wall here.
>
> Thanks!
>
> Jason
>
> _______________________________________________
> openssh-unix-dev mailing list
> [email]openssh-unix-dev@mindrot.org[/email]
> [url]http://www.mindrot.org/mailman/listinfo/openssh-unix-dev[/url]
>
>[/color]

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

_______________________________________________
openssh-unix-dev mailing list
[email]openssh-unix-dev@mindrot.org[/email]
[url]http://www.mindrot.org/mailman/listinfo/openssh-unix-dev[/url]