> login as: mmezzanotti > Using keyboard-interactive authentication. > Password: > Last login: Wed Dec 30 14:00:19 2009 from localhost > Have a lot of fun... > mmezzano...@os112:~> ls > bin Documents Music Public Templates > Desktop Download Pictures public_html Videos > mmezzano...@os112:~> klist > Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx > Default principal: mmezzano...@vmwarelab.int > > Valid starting Expires Service principal > 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/vmwarelab....@vmwarelab.int > renew until 01/05/10 13:58:36
I'm not sure if you are actually testing ticket authentication, but just kerberos password authentication (by far much easier). To actually check what you want, I recommend you start working just on the linux node, and enter as whichever user. then # kinit mmezzanotti # ssh mmezzano...@os112 If it does ask you for password, then credential authentication is not working. And depending if your TGT was proxyable or not, you might even end with void output from klist. Someone answered about the need of a host keytab to achieve this. As far as I remember that is not mandatory for linux (or wasn't for a debian in 2004), but take into account. > mmezzano...@os112:~> ssh -vvv mmezzano...@os112.vmwarelab.int > Try adding 'debug' to all pam.d lines on kerberos. That will produce a much less verbose and hopefully more useful info. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
