Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162096 - Configuring kerberos authentication.
Summary: Configuring kerberos authentication.
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-29 20:23 UTC by Dave English
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-01 17:00:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Dave English 2005-06-29 20:23:08 UTC
Configuring kerberos authentication.
sshd ask for "Password: Response:". 
Openssh just authenticate via the kerberos ticket, pass on the ticket to the
remote host/s  but this is not the case

Comment 1 Tomas Mraz 2005-06-30 07:16:10 UTC
What exact client and server versions of openssh do you use?

Comment 2 Dave English 2005-06-30 14:27:18 UTC
rpm -qa | grep ssh

Comment 3 Tomas Mraz 2005-06-30 14:34:23 UTC
You're really terse.

Do you connect from RHEL4 machine to another RHEL4 machine?

Do you have GSSAPIAuthentication yes in both ssh_config and sshd_config files?

Comment 4 Dave English 2005-06-30 15:10:02 UTC
yes in both

grep GSSAPIAuthentication ssh*config

ssh_config:     GSSAPIAuthentication yes
sshd_config:GSSAPIAuthentication yes

Comment 5 Dave English 2005-06-30 15:12:00 UTC
Do you connect from RHEL4 machine to another RHEL4 machine  YES

With both the same rev
2.6.9-11.ELsmp #1 SMP Fri May 20 18:25:30 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux

Comment 6 Tomas Mraz 2005-06-30 18:48:30 UTC
Hmm I cannot reproduce it here, do you have correctly set-up your
/etc/krb5.keytab with the server key?

Also if you want as a paying customer proper response from Red Hat you should
use the Issue Tracker for reporting problems with Red Hat Enterprise Linux.

Comment 7 Dave English 2005-07-01 15:15:49 UTC
Yes when I do a strings the file it is fine, right hosts name, domain / realm

Comment 8 Tomas Mraz 2005-07-01 15:48:37 UTC
There can be problems with the host name resolution (is you host multihomed?).

Could you attach here your krb5.conf file, klist output of your ticket and
getprinc output from kadmin for the host principal of the sshd server machine?

Comment 9 Dave English 2005-07-01 15:55:55 UTC
cat /etc/krb5.conf
        ticket_lifetime = 600
        default_realm = XXX.COM
        default_tgs_enctypes = des-cbc-crc des-cbc-md5 des3-hmac-sha1
        default_tkt_enctypes = des-cbc-crc des-cbc-md5 des3-hmac-sha1
        clockskew = 600
        forwardable = true

        XXX.COM = {
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                kdc = :88
                admin_server =
                default_domain = XXX.COM

[domain_realm] = XXX.COM = XXX.COM

   version = 1.0
   symlink-name = /usr/kerberos/kerbnet

        default = SYSLOG:DEBUG:AUTH

    telnet = {
        forwardable = true
        forward = true
        encrypt = false
        autologin = true
    rlogin = {
        forwardable = true
        forward = true
        encrypt = true
    rsh = {
        forwardable = true
        forward = true
        encrypt = true
    rcp = {
        encrypt = true
    pam = {
        forwardable = true
    login = {
        krb5_run_aklog = false
        krb5_get_tickets = true
        krb4_get_tickets = false
        krb4_convert = false

Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: eng007@XXX.COM

Valid starting     Expires            Service principal
07/01/05 11:50:58  07/01/05 21:50:58  krbtgt/XXX.COM@XXX.COM
        renew until 07/02/05 11:50:56
07/01/05 11:51:01  07/01/05 21:50:58  host/
        renew until 07/02/05 11:50:56

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Comment 10 Tomas Mraz 2005-07-01 17:00:23 UTC
Hmm... there doesn't seem to be any obvious problems with the configuration,
however there still can be a problem with the service key.

As I cannot reproduce the problem here, I'm closing this bug for now as
worksforme. But you should use the paid support issue tracker to report the
problem so it can be investigated more. Please point them to this bug report.
Thank you.

Note You need to log in before you can comment on or make changes to this bug.