-   Linux - Software (
-   -   kerberos SSO: ssh not trying gssapi-with-mic (

doqc1 08-20-2011 06:36 AM

kerberos SSO: ssh not trying gssapi-with-mic
I am setting up some debian squeeze boxes in a kerberos realm which will allow users to ssh from machine to machine in the realm without reentering their password.
This was working OK but something has changed meaning that the user is asked for a password on every box whether a valid kerberos ticket is held or not.

I have the following in /etc/ssh/ssh_config on all the boxes:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

and in /etc/ssh/sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

However, when ssh'ing from one to another a password is still required.. it seems that the gssapi-with-mic auth method is being skipped for some reason looking at the output of ssh -vvv:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: Trying private key: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

Once the password is entered the user is allowed in no problems. But I'm puzzled as to why credential delegation isn't working.
Any clues why gssapi-with-mic is being dropped by ssh?

doqc1 08-22-2011 04:04 AM

Hmm, I've discovered if I use the "ssh -K "... command then credential delegation works fine on all machines.
The ssh config (and sshd config) is identical on all machines so very confusing why delegation is working by default on some boxes and not others.
But at least I have a workaround.

All times are GMT -5. The time now is 12:19 PM.