[28660] in Kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Nov 5 13:54:32 2007
Message-ID: <472F66D4.8070600@anl.gov>
Date: Mon, 05 Nov 2007 12:54:12 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <472F4D86.6010302@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeff Blaine wrote:
> Solved.
>
> Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
> even though it was not defined anywhere as "no" (although probably
> a default for some reason).
Are you sure that was it? GSSAPIStoreDelegatedCredentials is a server side
option and defaults to yes. The client side option is GSSAPIDelegateCredentials
and defaults to no for security reasons. (You should only delegate to trusted
machines.)
man ssh_config and man sshd_config shows the options.
>
> Jeff Blaine wrote:
>> Nicolas et al,
>>
>> ==== SSHD server ====================================================
>>
>> ~:alberta> uname -a
>> SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
>> ~:alberta>
>>
>> ~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
>> "GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
>> "GSSAPIAuthentication yes" -ddd
>>
>> ==== SSH client =====================================================
>>
>> ~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
>> GSSAPIAuthentication yes
>> ~:rcf-kerbtest-linux> ls .ssh/config
>> ls: .ssh/config: No such file or directory
>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
>> Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
>> Default principal: jblaine@RCF.FOO.COM
>>
>> Valid starting Expires Service principal
>> 11/01/07 14:30:02 11/08/07 13:30:02 krbtgt/RCF.FOO.COM@RCF.FOO.COM
>> Flags: FI
>> 11/01/07 14:30:02 11/08/07 13:30:02 afs@RCF.FOO.COM
>> Flags: FT
>> 11/01/07 14:30:27 11/08/07 13:30:02 host/alberta.foo.com@RCF.FOO.COM
>> Flags: FT
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt26560
>> klist: You have no tickets cached
>> ~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
>> Last login: Mon Nov 5 11:15:47 2007 from rcf-kerbtest-li
>> ...
>> ~:alberta> /usr/bin/klist
>> klist: No credentials cache file found (ticket cache
>> FILE:/tmp/krb5cc_26560)
>> ~:alberta>
>>
>> ==== SSHD server reports =======================================
>> ...
>> debug1: userauth-request for user jblaine service ssh-connection method
>> gssapi-with-mic
>> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
>> debug2: input_userauth_request: try method gssapi-with-mic
>> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 }
>> (supported)
>> debug2: Mapping initiator GSS-API principal to local username
>> debug2: Mapped the initiator to: jblaine
>> debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
>> debug3: Trying to reverse map address xxx.xx.11.213.
>> debug3: Not storing delegated GSS credentials (none delegated)
>> Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
>> ...
>>
>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
