Marcello, Can you show us the output of klist -kte (as root) on the machine running sshd? You need to have a proper keytab for ssh to use GSSAPI authentication.
Against AD, you can generate a keytab using ktpass.exe. Make sure you are using the 2003 SP2 version (or newer) of ktpass as some known problems were fixed. http://support.microsoft.com/kb/926027 There are several of us in the #kerberos IRC channel on Freenode if you would like some interactive help in getting this to work. <<CDC Marcello Mezzanotti <marcello.mezzano...@gmail.com> wrote: > Hans, > > Thaks for your help, my sshd_config options match yours, sshd_config > doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options. > > I continue to receive the "we sent a gssapi-with-mic packet, wait for > reply" DEBUG message and the ssh tries password auth. > > i saw something related to krb5.keytab, do you know something about > this file? > > thank you, > marcello > > > > On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <h...@woefdram.nl> > wrote: >> Hi Marcello, >> >> A while ago I created the same construction that you want: ssh to a >> Linux machine and login automatically with Kerberos. My KDC also is >> a Windows 2003 box with UNIX Services installed. It's been a while, >> and I don't remember a lot of details. I remember it did take quit a >> bit of work though :) >> >> In the logs you sent, I can't really find anything, but it "feels" >> like an incomplete SSH daemon configuration. >> >> In my sshd-config there are also these lines: >> >> PasswordAuthentication no >> KerberosAuthentication yes >> KerberosOrLocalPasswd no >> KerberosTicketCleanup yes >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> On my client machine, I configured /etc/ssh/ssh_config with: >> >> GSSAPIKeyExchange yes >> GSSAPITrustDNS yes >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> >> I hope this will help you a bit. If not, please post the >> configuration of both the ssh-server and the ssh-client and I'll >> have a closer look. >> >> Kind regards, >> >> Hans ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
