Hi Marcello, Ah, you didn't have a keytab. I assumed you did :)
I used Windows to create the key and added it to /etc/krb5.keytab with ktutil. Perhaps these entries in /etc/krb5.conf make a difference. In your case, YaST has probably taken care of this file, but this is what I have put into it (apart from the other stuff like realm name and so): [libdefaults] forwardable = true proxiable = true [appdefaults] forwardable = yes validate = true Kind regards, Hans Marcello Mezzanotti wrote: > Hans, > > Thaks for your help, my sshd_config options match yours, sshd_config > doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options. > > I continue to receive the "we sent a gssapi-with-mic packet, wait for > reply" DEBUG message and the ssh tries password auth. > > i saw something related to krb5.keytab, do you know something about this file? > > thank you, > marcello > > > > On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <h...@woefdram.nl> wrote: >> Hi Marcello, >> >> A while ago I created the same construction that you want: ssh to a Linux >> machine and login automatically with Kerberos. My KDC also is a Windows 2003 >> box with UNIX Services installed. It's been a while, and I don't remember a >> lot of details. I remember it did take quit a bit of work though :) >> >> In the logs you sent, I can't really find anything, but it "feels" like an >> incomplete SSH daemon configuration. >> >> In my sshd-config there are also these lines: >> >> PasswordAuthentication no >> KerberosAuthentication yes >> KerberosOrLocalPasswd no >> KerberosTicketCleanup yes >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> On my client machine, I configured /etc/ssh/ssh_config with: >> >> GSSAPIKeyExchange yes >> GSSAPITrustDNS yes >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> >> I hope this will help you a bit. If not, please post the configuration of >> both the ssh-server and the ssh-client and I'll have a closer look. >> >> Kind regards, >> >> Hans >> >> > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
