[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

Jim Rees rees@umich.edu
Thu, 6 Sep 2007 12:11:35 -0400


Ken Aaker wrote:

  Thanks for the clues, I am probably missing the host principal. I did
  try various settings of the GSSAPI ssh config parameters, but they
  didn't seem to change the behavior. For the host principle, do I need to
  have those in keytabs?

The GSS config params to ssh won't do a thing until you install the host key
on the server side.  Mine is in krb5.keytab, in the same directory as
krb5.conf (/etc/kerberosV for me).  This is heimdal on OpenBSD, but linux
and/or MIT should be similar.

If it still won't work, try "ssh -v" to see whether it's attempting GSS
authentication.  When it works you'll see something like this:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).

I've got some other bits in my krb5.conf but I don't know if they are really
needed:

[libdefaults]
        ticket_lifetime = 36000
        default_realm = CITI.UMICH.EDU
	forwardable = true

[appdefaults]
	afs-use-524 = 2b
	no-addresses = true