On 07/15/2016 12:25 AM, Brandon Allbery wrote: > On 7/14/16, 17:32, "kerberos-boun...@mit.edu on behalf of Mauro Cazzari" > <kerberos-boun...@mit.edu on behalf of mymagi...@gmail.com> wrote: > > # Kerberos options > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > #KerberosGetAFSToken no > #KerberosUseKuserok yes > > > I would turn these off; they refer to an older Kerberos API in ssh and may > interfere with GSSAPI. > > The others look correct. Note that if it is using public key authentication > to get to the next server, it will not use the Kerberos code and therefore > won’t forward (delegate) credentials to the next server. (Also note that if > there are other matching Host blocks, the “Host *” block in ssh_config won’t > be used. > >
and remember that tickets need to be flagged as forwardable (i.e. "kinit -f ..." or by setting "forwardable = true" in /etc/krb5.conf, [libdefaults]) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos