Kerberos & ssh
by Juliet Kemp
Things to look for if kerberos-enabled SSH isn't working:
/etc/ssh/sshd_configfor lines that look like this:
KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GssapiKeyExchange yes
- Check that
libsasl2-gssapi-mitis installed (for Debian; insert appropriate package for your system).
- Check that you've extracted the
/etc/krb5.keytabon the client you're trying to log in to (that
client.example.comis the FQDN for the client you're trying to log in to). This is the one that I most often get caught by. The command is
klist -k /etc/krb5.keytab(as root).
- Check that
/etc/krb5.keytabis only readable by
sshdto make sure that any changes you've made on the above lines are actually operational.
This week's (unconnected) observation: it's still possible to get caddies for IDE drives, for very little money. This comes in handy when an elderly motherboard expires, at an unfortunate stage of the backup cycle, and the disk is still good (and has several days of non-backed-up data: see above re backup cycle). £10 = one happy user.
Happy Thanksgiving to US readers! Enjoy the holiday. I am, as I type this, listening to Alice's Restaurant in honour of it.
|Thanks for the Kerberos/SSH tips, you helped me solve a problem and have a reference for future problems! Which there will be, with Kerberos!|
Just for clarification to your readership:
Matt - thanks for the clarification.