Kerberos & ssh

by Juliet Kemp

Things to look for if kerberos-enabled SSH isn't working:

  • Check /etc/ssh/sshd_config for lines that look like this:
    KerberosAuthentication yes
    KerberosOrLocalPasswd yes
    KerberosTicketCleanup yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    GssapiKeyExchange yes
  • Check that libsasl2-gssapi-mit is installed (for Debian; insert appropriate package for your system).
  • Check that you've extracted the host/ key to /etc/krb5.keytab on the client you're trying to log in to (that is the FQDN for the client you're trying to log in to). This is the one that I most often get caught by. The command is klist -k /etc/krb5.keytab (as root).
  • Check that /etc/krb5.keytab is only readable by root.
  • Restart sshd to make sure that any changes you've made on the above lines are actually operational.

This week's (unconnected) observation: it's still possible to get caddies for IDE drives, for very little money. This comes in handy when an elderly motherboard expires, at an unfortunate stage of the backup cycle, and the disk is still good (and has several days of non-backed-up data: see above re backup cycle). £10 = one happy user.

Happy Thanksgiving to US readers! Enjoy the holiday. I am, as I type this, listening to Alice's Restaurant in honour of it.


2007-11-25 20:19:13
Thanks for the Kerberos/SSH tips, you helped me solve a problem and have a reference for future problems! Which there will be, with Kerberos!
2007-11-26 05:54:18
Just for clarification to your readership:

*The Kerberos* options are only needed for KDC-validated password authentication. PAM can also handle this case.

*The GSSAPI* options are only needed for non-interactive kerberos ticket authentication.


Juliet Kemp
2007-11-26 06:02:04
Matt - thanks for the clarification.

Farnold - glad the post was useful!