I'm trying to get cross-realm authentication to work between A.COM and
B.NET for openssh.

The setup is as follows:

the KDC from A.COM has a principal user@A.COM.
the KDC from B.NET has the principal host/sshserver@B.NET
There's also a principal krbtgt/B.NET@A.COM on both KDC's.

The cross-realm authentication seems to work. After kinit user@A.COM and
attempting to ssh to user@sshserver I have the following tickets:

(deepstar/tachyon) ~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: user@A.COM

Issued Expires Principal
May 29 15:07:18 May 30 01:09:24 krbtgt/A.COM@A.COM
May 29 15:07:20 May 30 01:09:24 krbtgt/B.NET@A.COM
May 29 15:07:19 May 30 01:09:24 host/sshserver@B.NET

But I can't login. When I get a ticket for user@B.NET and attempt to login, it works.
So at least I know the setup is correct.

The log from the KDC at B.NET shows something like this:

2006-05-29T15:07:19 TGS-REQ user@A.COM from IPv4: for host/sshserver@B.NET [proxiable, forwardable]
2006-05-29T15:07:19 Client not found in database: user@A.COM: No such entry in the database
2006-05-29T15:07:19 cross-realm A.COM -> B.NET
2006-05-29T15:07:19 sending 665 bytes to IPv4:

Where is the client aswell as the sshserver in this case...

This leads me to conclude that the SSH-server is trying to verify user@A.COM against the B.NET realm.

I'm not sure why this happens ? (krb5.conf should be setup correctly)

Does anyone have a similar problem and maybe a fix ?

I'm using openssh 4.2p1-8 (debian unstable)

kind regards,
-- Steven Van Acker