[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session
Jim Rees
rees@umich.edu
Thu, 6 Sep 2007 12:11:35 -0400
Ken Aaker wrote:
Thanks for the clues, I am probably missing the host principal. I did
try various settings of the GSSAPI ssh config parameters, but they
didn't seem to change the behavior. For the host principle, do I need to
have those in keytabs?
The GSS config params to ssh won't do a thing until you install the host key
on the server side. Mine is in krb5.keytab, in the same directory as
krb5.conf (/etc/kerberosV for me). This is heimdal on OpenBSD, but linux
and/or MIT should be similar.
If it still won't work, try "ssh -v" to see whether it's attempting GSS
authentication. When it works you'll see something like this:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
I've got some other bits in my krb5.conf but I don't know if they are really
needed:
[libdefaults]
ticket_lifetime = 36000
default_realm = CITI.UMICH.EDU
forwardable = true
[appdefaults]
afs-use-524 = 2b
no-addresses = true