Using OpenSSH with multiple Kerberos principals

Tue, 09 Mar 2010 07:30:22 -0800 

        I apologize if this is the wrong list on which to ask help.  If that's 
the case, please send me a pointer to the right list (perhaps the OpenSSH 
list?).

        I have two Kerberos principals, [email protected] and 
[email protected], which I like to use with OpenSSH to connect log in to 
dialup servers at athena and csail, respecitvely, without passwords.  I'm using 
OpenSSH 5.2p1 on Mac OS X 10.6.

        My .ssh/config is set so that Kerberos is being used:

$ cat .ssh/config
ForwardX11 yes
ForwardAgent yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

        And when used individually, I can log into athena and csail without 
passwords:

$ kdestroy -A
$ kinit [email protected]

$ klist -A
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [email protected]

Valid Starting     Expires            Service Principal
03/09/10 01:56:42  03/09/10 11:56:42  krbtgt/[email protected]
        renew until 03/16/10 02:56:42

$ ssh linux.dialup.mit.edu
<I can log in without a password>

Similarly, for login.csail.mit.edu.  However, if I acquire both principals, 
OpenSSH appears to use only the latest one:

$ kinit [email protected]
$ klist
Kerberos 5 ticket cache: 'API:3'
Default principal: [email protected]

Valid Starting     Expires            Service Principal
03/09/10 01:58:15  03/09/10 11:58:14  krbtgt/[email protected]
        renew until 03/16/10 02:58:15

$ klist -A
Kerberos 5 ticket cache: 'API:3'
Default principal: [email protected]

Valid Starting     Expires            Service Principal
03/09/10 01:58:15  03/09/10 11:58:14  krbtgt/[email protected]
        renew until 03/16/10 02:58:15


-------------------------------------------------------------------------------
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [email protected]

Valid Starting     Expires            Service Principal
03/09/10 01:56:42  03/09/10 11:56:42  krbtgt/[email protected]
        renew until 03/16/10 02:56:42




Once the default principal has been set to the CSAIL one, I can no longer 
access linux.dialup.mit.edu without a password.  Is there a way to make OpenSSH 
"search" for the appropriate one?  Or is there a magic command to change the 
default principal, so I can script my way around the problem?

Thanks,

Jiawen
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to