||08-20-2011 06:36 AM
kerberos SSO: ssh not trying gssapi-with-mic
I am setting up some debian squeeze boxes in a kerberos realm which will allow users to ssh from machine to machine in the realm without reentering their password.
This was working OK but something has changed meaning that the user is asked for a password on every box whether a valid kerberos ticket is held or not.
I have the following in /etc/ssh/ssh_config on all the boxes:
and in /etc/ssh/sshd_config
However, when ssh'ing from one to another a password is still required.. it seems that the gssapi-with-mic auth method is being skipped for some reason looking at the output of ssh -vvv:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: Trying private key: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: num_prompts 1
Once the password is entered the user is allowed in no problems. But I'm puzzled as to why credential delegation isn't working.
Any clues why gssapi-with-mic is being dropped by ssh?