• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 635
  • Last Modified:

How do I configure GSSAPI->Kerberos V to work with openssh-3.9p1-8 on RHEL4U4?


RHEL4U4 - fresh installation
openssh-3.9p1-8 RPMs for openssh
Fully operational KDC
Correctly configured host and user principals for hostA and hostB

Problem: kerberos login not attempted via GSSAPI and sshd on hostB when logging in as usera from hostA with current TGT and correct CC.

Should this just work, or am I banging my head on a wall again?
We have no AFS, which most of the info on Google seems to refer to.

Many thanks.
  • 4
  • 2
1 Solution
Kerem ERSOYPresidentCommented:

First of all please make suere that HostA /etc/ssh/sshd_config has hthese options enabled (i.e., not commented out):

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

If not modify and save, exit and restart sshd service.

Then edit /etc/ssh/ssh_config and make sure that:
GSSAPIAuthentication yes

is there. If not modify.

Then start kde on your local host:
kinit user@realm
if you get "kinit(v5): Cannot find KDC for requested realm while getting initial credentials" then it means that you have a problem with  kerberos. lease reconfigure it.

If it is ok then you can
ssh host

and it should succeed.

engerdAuthor Commented:
Hi KeremE,
This is all configured correctly.  I noticed a short time ago, that a specific user *can* ssh without a password with a suitable TGT in their CC.  This does not work for root.

So ... I  believe the problem is in the LDAP UID lookup rather than kerberos.  root account doesn't work either, which is also mystifying.

Thanks for yur help in any case.
Kerem ERSOYPresidentCommented:
I am sure you've checked that but just to make sure. Did you enable root login in your sshd_config of ServerA ?
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

engerdAuthor Commented:
We've been using ssh a lot longer than Kerberos ;-)   I've just got root to work - missing the root@REALM principal - doh!  We don't put root into LDAP via inetorgperson or otherwise!

Thanks again for your help.  I'll throw the points to you in any case.
Kerem ERSOYPresidentCommented:
BTW what is your kinit name ? Is it also root@realm ? Or you are using a realm other than root that has no access to root credentials?
if so please include it to rot realm
Kerem ERSOYPresidentCommented:
oops you've already put it in ther :) Sorry I did not see your comment. Thansk anyway :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now