[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal and r* client programs
On Thu, Aug 15, 2002 at 01:34:15PM -0500, Douglas E. Engert wrote:
> Tillman Hodgson wrote:
> > If I could have an ssh login to a perimeter server also request and
> > store the TGT, then I can log in once to the network from the outside
> > (in a secure fashion via ssh) and have single sign-on from there on.
> Yes, forwarding of a ticket, or with GSS its called delegation.
> > Eliminating the need for users to do a k5init would be great.
> We do that with GSSAPI and SSHD can get an AFS token for you too.
I'm running into a problem - the FreeBSD openssh-portable w/GSSAPI patch
doesn't appear to be working the way I'd expect it to.
I modified the /usr/local/etc/ssh/sshd_config on athena (a currently
working Kerberized server) to include:
and ran /usr/local/sbin/sshd on port 8022 (so it wouldn't conflict with
the existing sshd). Here's what I tried to test it:
1. Ran a k5destory and a k5list to confirm that I did not have a ticket
2. Ran '/usr/local/bin/ssh -2 -p 8022 localhost' ... oddly, I got a
password prompt that only took my system (rather than Kerberos)
3. Ran k5list to see if I had a ticket created - I didn't
I then tried grep'ing (with -i) for 'kerb' and 'gss' in the source tree
to see if anything stood out, but I didn't see anything noteworthy. I
suspect I'm missing some obvious steps somewhere. Can someone post a
working sshd_config or point our any errors I have?
Nature commits no errors; right and wrong are human categories.
- Pardot Kynes, Arrakis Lectures