Steven Van Acker wrote:
> I'm trying to get cross-realm authentication to work between A.COM and
> B.NET for openssh.
> the KDC from A.COM has a principal user@A.COM.
> the KDC from B.NET has the principal host/sshserver@B.NET
> There's also a principal krbtgt/B.NET@A.COM on both KDC's.

Is user@A.COM authorized to access 's account on the ssh server?
If the server's default realm is B.NET, the standard configuration will
only allow user@B.NET to access that account.

You need to investigate the documentation for ~/.k5login, or whatever
other mechanisms your Kerberos library provides for authorizing
cross-realm principals.