Srinivas Cheruku wrote: > Default configuration should work properly. Otherwise you can add the below > lines in your sshd configuration file > > GssapiAuthentication yes > GssapiKeyExchange yes > GssapiUseSessionCredCache yes > > Also start the client session in the verbose mode and see what is happening > by giving > $ ssh -v hostname > > Also you can check on the KDC log whether it has issued a forwarded TGT. >
I have added those lines to sshd_config but it didn't help, here is the output of the ssh client: > ssh -v hostname OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid XXXX geteuid 0 anon 1 debug1: Connecting to tonostix [X.X.X.X] port 22. debug1: temporarily_use_uid: XXXX/XXXX (e=0) debug1: restore_uid debug1: temporarily_use_uid: XXXX/XXXX (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/username/.ssh/identity type -1 debug1: identity file /home/username/.ssh/id_rsa type -1 debug1: identity file /home/username/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 debug1: Miscellaneous failure debug1: Server not found in Kerberos database debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 133/256 debug1: bits set: 1558/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'hostname' is known and matches the RSA host key. debug1: Found key in /home/username/.ssh/known_hosts2:104 debug1: bits set: 1569/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug1: next auth method to try is external-keyx debug1: authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug1: next auth method to try is gssapi debug1: authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/username/.ssh/identity debug1: try privkey: /home/username/.ssh/id_rsa debug1: try privkey: /home/username/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug1: next auth method to try is password username@hostname's password: debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Fri Mar 22 12:38:15 2002 from hostname.domain.com Linux 2.4.5. Output of kinit: > kinit Password for username@REALM: kinit(v5): No credentials cache found when initializing cache Output of klist: > klist klist: No credentials cache found (ticket cache FILE:) Kerberos 4 ticket cache: /tmp/tktXXXX klist: You have no tickets cached Any ideas ? ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
