[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

david l goodrich dlg@dsrw.org
Thu, 6 Sep 2007 13:05:09 -0500 (CDT)

On Thu, September 6, 2007 12:38 pm, Ken Aaker wrote:
> Jim Rees wrote:
>> Ken Aaker wrote:
>> If it still won't work, try "ssh -v" to see whether it's attempting GS=
>> authentication.  When it works you'll see something like this:
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password,keyboard-interactive
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Delegating credentials
>> debug1: Delegating credentials
>> debug1: Authentication succeeded (gssapi-with-mic).
> It's really close, it's working from "ralph" to "mars", but not from
> "mars" to "ralph".
> I get 3 "debug2: we sent a gssapi-with-mic packet, wait for reply"
> messages, then it fails over to password. The keytab files are identica=
> on the machines, and GSSAPIAuthentication is turned on in sshd_config o=
> both. Still something to do with the keytab on "ralph"?

Ralph should have the principal host/ralph.example.com in its keytab, and
mars should have host/mars.example.com.  You don't want to use the same
host principal across multiple hosts.

> Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info