Hi all,

I have configured 'passwordless' SSH between our machines using GSSAPI authentication which is all working beautifully (Active Directory KDC).

I now want to make sure that the user's kerberos crednetials are forwarded as well using the 'GSSAPIDelegateCredentials yes' on the SSH client.

However, it seems as though the openssh server on Red Hat 4.8 has not been compiled to support this, because if I run sshd in debug mode, I see the client 'delegating credentials' but nothing appears in the debug log on the server to suggest the the credentials have been received, and sure enough a quick 'klist' shows that the user does not have any tickets.

So two questions:

1. Am I right about openssh-server on Red Hat Enterprise 4.8 not supporting delegated credentials?

2. What flag would I need to recompile the src.rpm so that it will work?

Thanks in advance!

No, it forwards them OK, just that the GSSAPI forwarding is not enabled by default in sshd_config.

The SSH client doesn't forward by default hence the need for 'GSSAPIDelegateCredentials yes' in ssh_config, but what option is needed in sshd_config in order for it to accept them?

The man pages for sshd_config do not seem to contain anything pertaining to accepting delegated credentials. I tried 'GSSAPIStoreDelegatedCredentials yes' which is what I would do on a Solaris box but Linux doesn't like this.

Any further help much appreciated.

I feel stupid.

I hadn't specified forwardable tickets in krb5.conf!!!

Ooops.

Sorry for not replying, but I couldn't find anything worht saying. I could see on Solaris sshd manpages that there were options about storing the forwarded credentials, but didn't seem to find the same option on a clearly Linux version. I knew i'd done it as part of my RH442 exam study though, but that wouldn't exactly help you!