Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 08-20-2011, 07:36 AM   #1
LQ Newbie
Registered: Jul 2011
Posts: 6

Rep: Reputation: Disabled
kerberos SSO: ssh not trying gssapi-with-mic

I am setting up some debian squeeze boxes in a kerberos realm which will allow users to ssh from machine to machine in the realm without reentering their password.
This was working OK but something has changed meaning that the user is asked for a password on every box whether a valid kerberos ticket is held or not.

I have the following in /etc/ssh/ssh_config on all the boxes:
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
and in /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
However, when ssh'ing from one to another a password is still required.. it seems that the gssapi-with-mic auth method is being skipped for some reason looking at the output of ssh -vvv:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: Trying private key: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Once the password is entered the user is allowed in no problems. But I'm puzzled as to why credential delegation isn't working.
Any clues why gssapi-with-mic is being dropped by ssh?
Old 08-22-2011, 05:04 AM   #2
LQ Newbie
Registered: Jul 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hmm, I've discovered if I use the "ssh -K "... command then credential delegation works fine on all machines.
The ssh config (and sshd config) is identical on all machines so very confusing why delegation is working by default on some boxes and not others.
But at least I have a workaround.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Amanda Backup Permission denied (publickey,gssapi-with-mic,password). error mcdown75 Linux - Software 6 07-10-2014 12:42 PM
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-inte ract MilanK Linux - Newbie 1 03-20-2012 04:44 AM
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 04:12 AM
Apache and Kerberos SSO issues climbingmerlin Linux - Server 2 08-09-2009 06:12 AM
Authz_ldap? I need to have SSO with kerberos against a AD domain mujzeptu Linux - Server 6 02-07-2008 11:53 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:50 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration