[31254] in Kerberos
Re: Problem: passwordless SSH-login with Kerberos doesn't work
daemon@ATHENA.MIT.EDU (Simo Sorce)
Mon Jun 15 18:42:25 2009
X-Barracuda-Envelope-From: ssorce@redhat.com
From: Simo Sorce <ssorce@redhat.com>
To: kerberos@mit.edu
In-Reply-To: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl>
Date: Mon, 15 Jun 2009 18:41:30 -0400
Message-Id: <1245105690.14254.56.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2009-06-15 at 10:03 +0200, Hans van Zijst wrote:
> And here's the log (at DEBUG level) of the SSH server:
>
> -----[ ssh server log ]-----
> debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
> debug1: Forked child 2475.
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.115.193.8 port 35195
> debug1: Client protocol version 2.0; client software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
> debug1: PAM: initializing for "thisuser"
> debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl"
> debug1: PAM: setting PAM_TTY to "ssh"
> Failed none for thisuser from 10.115.193.8 port 35195 ssh2
> debug1: Unspecified GSS failure. Minor code may provide more
> information\nNo principal in keytab matches desired name\n
> debug1: do_cleanup
> debug1: PAM: cleanup
Clearly the ssh server does not agree about what is the right name.
The hostname of the machine must the same name you set in the keytab.
That's what sshd uses (probably through gethostname()) to determine what
principal name to search for in the keytab.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
