In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] ("Parag Godkar") wrote:
...
> 9. Now from this telnet/ssh session, I would like the users to
> telnet/ssh to another linux server (or to the same server)
> in the same kerberos domain WITHOUT BEING PROMPTED FOR A
> PASSWORD.
>
> NOW THIS IS WHAT I WANT TO KNOW IF IT IS
> PRACTICABLE OR I AM TRYING TO DO SOMETHING
> IMPOSSIBLE?
Yes! It is possible, and everything up to here leads me to
expect it will work.
But as another followup has already pointed out, the server
apparently has no service key - from the server diagnostics,
> Miscellaneous failure No principal in keytab matches desired name
Someone needs to create a principal host/x.y.z and add its key
to /etc/krb5.keytab on x.y.z (the remote host.)
Remember when testing the client, you must do that as the user
who logged in and has the credentials -- don't do it as root.
> 3. I have the following relevant lines in my sshd_config -
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> #ChallengeResponseAuthentication yes
> KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> GssapiAuthentication yes
> GssapiKeyExchange yes
> GssapiUseSessionCredCache yes
> #AFSTokenPassing no
> #KerberosTgtPassing no
> #PAMAuthenticationViaKbdInt no
>
> and the following relevant lines in my ssh_config -
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # PasswordAuthentication yes
> GssapiAuthentication yes
> GSSAPIDelegateCredentials yes
"KerberosAuthentication yes" alone, in both, should be enough,
something you can easily try if you have further difficulties.
Donn Cave, [EMAIL PROTECTED]
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
