Problem with latest OpenSSH and Wilkinson's Kerberos patch
I built and installed an MIT KDC, OpenSSH 4.2p1 (built with S.
Wilkinson's GSSAPI/Kerberos patch), and changed relevant settings in
sshd_config, however OpenSSH is still prompting me for a password (I
want single sign-on). Running on Debian Linux. Here's the flow:
user% kinit <user> [get a TGT]
user% klist [dumps my TGT, looks fine]
user% ssh -v <user>@<hostname>
[SSH asks for password and I Ctrl+C out]
In the debug dump, I can see the SSH client sending a GSSAPI stream
which the sshd appears to be ignoring. It does, however, obtain a TGS
in the process, which is a good sign, but there's still no single
sign-on. I tried short hostname and FQHN, same result. The keytab
contains principals for both flavors.
I have a suspicion that it might have something to do with cipher
mismatch? I don't tell KDC what enctypes to generate, so it does 3DES
by default. I thought OpenSSH also supports 3DES, and specifically
uncommented the "Cipher 3des" line in ssh_config, but still no luck.
Any ideas? TIA!