CDC, Unfortunately i cant use IRC here, as i imagine i dont have any keytab file os112:~ # klist -kte Keytab name: WRFILE:/etc/krb5.keytab klist: No such file or directory while starting keytab scan
how i can generate this file directly on linux? if i generate this file on windows, can i export it to linux? btw, im using windows server 2003 r2 enterprise sp2. thank you, marcello On Mon, Jan 4, 2010 at 3:30 PM, Christopher D. Clausen <cclau...@acm.org> wrote: > Marcello, > > Can you show us the output of klist -kte (as root) on the machine running > sshd? You need to have a proper keytab for ssh to use GSSAPI > authentication. > > Against AD, you can generate a keytab using ktpass.exe. Make sure you are > using the 2003 SP2 version (or newer) of ktpass as some known problems were > fixed. http://support.microsoft.com/kb/926027 > > There are several of us in the #kerberos IRC channel on Freenode if you > would like some interactive help in getting this to work. > > <<CDC > > Marcello Mezzanotti <marcello.mezzano...@gmail.com> wrote: >> >> Hans, >> >> Thaks for your help, my sshd_config options match yours, sshd_config >> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options. >> >> I continue to receive the "we sent a gssapi-with-mic packet, wait for >> reply" DEBUG message and the ssh tries password auth. >> >> i saw something related to krb5.keytab, do you know something about >> this file? >> >> thank you, >> marcello >> >> >> >> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <h...@woefdram.nl> >> wrote: >>> >>> Hi Marcello, >>> >>> A while ago I created the same construction that you want: ssh to a >>> Linux machine and login automatically with Kerberos. My KDC also is >>> a Windows 2003 box with UNIX Services installed. It's been a while, >>> and I don't remember a lot of details. I remember it did take quit a >>> bit of work though :) >>> >>> In the logs you sent, I can't really find anything, but it "feels" >>> like an incomplete SSH daemon configuration. >>> >>> In my sshd-config there are also these lines: >>> >>> PasswordAuthentication no >>> KerberosAuthentication yes >>> KerberosOrLocalPasswd no >>> KerberosTicketCleanup yes >>> GSSAPIAuthentication yes >>> GSSAPICleanupCredentials yes >>> >>> On my client machine, I configured /etc/ssh/ssh_config with: >>> >>> GSSAPIKeyExchange yes >>> GSSAPITrustDNS yes >>> GSSAPIAuthentication yes >>> GSSAPIDelegateCredentials yes >>> >>> I hope this will help you a bit. If not, please post the >>> configuration of both the ssh-server and the ssh-client and I'll >>> have a closer look. >>> >>> Kind regards, >>> >>> Hans > > -- Marcello Mezzanotti <marcello.mezzano...@gmail.com> http://blogdomarcello.wordpress.com Information Security UNIX / Linux / *BSD ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
