Re: Question about GSSAPI with OpenSSH 4.2p1

This is a discussion on Re: Question about GSSAPI with OpenSSH 4.2p1 within the OpenSSH Development forums, part of the Networking and Network Related category; * Jason.C.Burns@wellsfargo.com [2005-11-03 17:59:34 -0600]: > Hey all, perhaps someone might be able ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: Question about GSSAPI with OpenSSH 4.2p1

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 11-04-2005
Sergio Gelato
 
Posts: n/a
Default Re: Question about GSSAPI with OpenSSH 4.2p1
* Jason.C.Burns@wellsfargo.com [2005-11-03 17:59:34 -0600]:
> Hey all, perhaps someone might be able to shed a little light on this
> problem. Nothing I find in books and groups seem to address the
> problem. I'm trying to set up a series of connections with ssh that
> authenticate through GSSAPI. However, it seems that the credentials are
> not getting passed.
[...]
> debug1: Got no client credentials
[...]
> What does 'Got no client credentials' mean? The client is sending them,
> so where do they go?

Are you sure that the client is actually sending them? The credential
delegation is buried inside the GSSAPI library, all the OpenSSH code
does is to set the "delegate" flag when initialising the security
context. If the library is unable to honour that flag, for example
because the TGT is not forwardable, then no credential will be
forwarded.

> Checking the ticket cache on the client...

Good idea, but...
>
> # klist
> Credentials cache: FILE:/tmp/krb5cc_xxx
> Principal: <user>/<domain>@<realm>
>
> Issued Expires Principal
> Nov 3 17:36:40 Nov 4 03:36:40 krbtgt/domain@realm

You need to inspect the ticket flags as well. "klist -f" usually shows them
(at least in the versions of klist I'm familiar with).

> Nov 3 17:37:52 Nov 4 03:36:40 host/<machine>@<realm>
>
> So it's even getting the ticket for the machine it is trying to go to
> using the tgt from the kinit.

That's not a forwarded ticket, however. The forwarded ticket would not
be stored in the client-side credentials cache (it isn't valid for the
client's IP address, only for the server's). You can find out whether it
is being issued by reading the KDC's logs or by examining the packets
exchanged between the GSSAPI library (in the ssh client) and the KDC.

> Any ideas? I'm starting to bang my head against the wall here.

I'd guess that you forgot to ask for a forwardable TGT at kinit time.
There are other possibilities (e.g., a bug in your GSSAPI library; you
didn't tell us which version you are using) but hopefully they don't
apply to your case.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:12 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0