[OpenAFS] forwarding credentials with OpenSSH, Kerberos
and pam-afs-session
Ken Aaker
kaaker@brocade.com
Thu, 06 Sep 2007 13:16:12 -0500
david l goodrich wrote:
>
>> I get 3 "debug2: we sent a gssapi-with-mic packet, wait for reply"
>> messages, then it fails over to password. The keytab files are identical
>> on the machines, and GSSAPIAuthentication is turned on in sshd_config on
>> both. Still something to do with the keytab on "ralph"?
>>
>
> Ralph should have the principal host/ralph.example.com in its keytab, and
> mars should have host/mars.example.com. You don't want to use the same
> host principal across multiple hosts.
> --david
>
>
Hmmm.... Now I'm confused again. Maybe my mental model is screwed up. I
was assuming that the host principles listed in the keytab on the
destination system were being used to verify the identity of the
incoming client host, sort of like ssh's known_hosts? But then, how does
the incoming system choose it's principle identity?
Ken
Here's the klist output of my /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/sif.aaker.org@AAKER.ORG
3 host/sif.aaker.org@AAKER.ORG
2 host/mars.aaker.org@AAKER.ORG
2 host/mars.aaker.org@AAKER.ORG
2 host/dv.aaker.org@AAKER.ORG
2 host/dv.aaker.org@AAKER.ORG
2 host/ted.aaker.org@AAKER.ORG
2 host/ted.aaker.org@AAKER.ORG
2 host/surt.aaker.org@AAKER.ORG
2 host/surt.aaker.org@AAKER.ORG
2 host/honor.aaker.org@AAKER.ORG
2 host/honor.aaker.org@AAKER.ORG
2 host/ralph.aaker.org@AAKER.ORG
2 host/ralph.aaker.org@AAKER.ORG