> I've spent the last few days playing with GSSAPI auth on an AIX 5.3
> server (4.1P1) with no success, I've already got this running perfectly
> using on a linux testbed system using our AD as KDC using Windows 2000
> with Putty (0.56b2 GSSAPI) as a client terminal. The AIX system is
> correctly allowing users to authorise against KRB5A but the GSSAPI
> single sign on from a client never seems to work.
>
> The debug log from SSHD fails during gssapi-with-mic as follows:
>
> debug1: userauth-request for user ianclark service ssh-connection method
> gssapi-with-mic
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> debug3: mm_request_send entering: type 37
> debug3: mm_request_receive_expect entering: type 38
> debug3: monitor_read: checking request 37
> debug3: mm_request_receive entering
> debug1: Miscellaneous failure
> No principal in keytab matches desired name
>
> debug3: mm_request_send entering: type 38
> debug3: mm_request_receive entering
>
> We have created a host principle

The word is "principal."

> and installed it in the krb5 keytab as
> per normal, SSHD doesn't need a service principle ?,

Yes, it does, as does any kerberized service. In this case, the service
principal *is* the host principal (as opposed to one referring
specifically to a protocol, e.g. imap/@REALM).

> but what principle is SSHD looking for and what name ?

host/@REALM

Possible problems:

- The host may not have the right fqdn. Check the result of
gethostbyaddr(gethostbyname(hostname)).

- Properties of the key may be incorrect with respect to the copy in the
kdb. Most common are the key version number (kvno) and key type. This
is very easy to get wrong when using a Windows KDC directly, since the
tool ktpass.exe is misleading and buggy.

--
Richard Silverman
res@qoxp.net