Hi, I am having this weird problem using GSSAPI deligation with SSH.
I am using pam_krb5 on the server side aswell. If I just ssh with no tickets on my local machine it will ask me for a password and I can then run a klist on the server and see: ssh [email protected]@mgaauth1.ni.ls.cbn Password: Last login: Wed Nov 24 11:00:06 2010 from 172.20.250.139 [email protected]@mgaauth1:~> klist Ticket cache: FILE:/tmp/krb5cc_5002_v11419 Default principal: [email protected] Valid starting Expires Service principal 11/24/10 11:05:43 11/24/10 21:05:43 krbtgt/[email protected] renew until 11/25/10 11:05:41 however if I kinit first: bcy...@linux-s6k6:/etc> kinit [email protected] bcy...@linux-s6k6:/etc> klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 11/24/10 12:06:56 11/24/10 22:06:56 krbtgt/[email protected] renew until 11/25/10 12:06:47 bcy...@linux-s6k6:/etc> ssh [email protected]@mgaauth1.ni.ls.cbn Last login: Wed Nov 24 11:05:43 2010 from 172.20.250.139 [email protected]@mgaauth1:~> klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_5002) So it allows me to ssh without a password (as I want) but then when I try to klist on the server I don't seem to have a credentials cache and I am fairly sure I should have one. After leaving the server my credentials cache looks as expected: [email protected]@mgaauth1:~> exit logout Connection to mgaauth1.ni.ls.cbn closed. bcy...@linux-s6k6:/etc> klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 11/24/10 12:06:56 11/24/10 22:06:56 krbtgt/[email protected] renew until 11/25/10 12:06:47 11/24/10 12:07:32 11/24/10 22:06:56 krbtgt/[email protected] renew until 11/25/10 12:06:47 11/24/10 12:07:37 11/24/10 22:06:56 host/[email protected] renew until 11/25/10 12:06:47 This is a cross realm setup. Any ideas what could be going on? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
