Things to look for if kerberos-enabled SSH isn’t working:
- Check
/etc/ssh/sshd_configfor lines that look like this:KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GssapiKeyExchange yes
- Check that
libsasl2-gssapi-mitis installed (for Debian; insert appropriate package for your system). - Check that you’ve extracted the
host/client.example.comkey to/etc/krb5.keytabon the client you’re trying to log in to (thatclient.example.comis the FQDN for the client you’re trying to log in to). This is the one that I most often get caught by. The command isklist -k /etc/krb5.keytab(as root). - Check that
/etc/krb5.keytabis only readable byroot. - Restart
sshdto make sure that any changes you’ve made on the above lines are actually operational.
This week’s (unconnected) observation: it’s still possible to get caddies for IDE drives, for very little money. This comes in handy when an elderly motherboard expires, at an unfortunate stage of the backup cycle, and the disk is still good (and has several days of non-backed-up data: see above re backup cycle). £10 = one happy user.
Happy Thanksgiving to US readers! Enjoy the holiday. I am, as I type this, listening to Alice’s Restaurant in honour of it.
Thanks for the Kerberos/SSH tips, you helped me solve a problem and have a reference for future problems! Which there will be, with Kerberos!
Just for clarification to your readership:
*The Kerberos* options are only needed for KDC-validated password authentication. PAM can also handle this case.
*The GSSAPI* options are only needed for non-interactive kerberos ticket authentication.
-Matt
Matt - thanks for the clarification.
Farnold - glad the post was useful!