In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] ("Parag Godkar") wrote: ... > 9. Now from this telnet/ssh session, I would like the users to > telnet/ssh to another linux server (or to the same server) > in the same kerberos domain WITHOUT BEING PROMPTED FOR A > PASSWORD. > > NOW THIS IS WHAT I WANT TO KNOW IF IT IS > PRACTICABLE OR I AM TRYING TO DO SOMETHING > IMPOSSIBLE?
Yes! It is possible, and everything up to here leads me to expect it will work. But as another followup has already pointed out, the server apparently has no service key - from the server diagnostics, > Miscellaneous failure No principal in keytab matches desired name Someone needs to create a principal host/x.y.z and add its key to /etc/krb5.keytab on x.y.z (the remote host.) Remember when testing the client, you must do that as the user who logged in and has the credentials -- don't do it as root. > 3. I have the following relevant lines in my sshd_config - > > #RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile .ssh/authorized_keys > #PasswordAuthentication yes > #PermitEmptyPasswords no > #ChallengeResponseAuthentication yes > KerberosAuthentication yes > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > GssapiAuthentication yes > GssapiKeyExchange yes > GssapiUseSessionCredCache yes > #AFSTokenPassing no > #KerberosTgtPassing no > #PAMAuthenticationViaKbdInt no > > and the following relevant lines in my ssh_config - > > # Host * > # ForwardAgent no > # ForwardX11 no > # PasswordAuthentication yes > GssapiAuthentication yes > GSSAPIDelegateCredentials yes "KerberosAuthentication yes" alone, in both, should be enough, something you can easily try if you have further difficulties. Donn Cave, [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos