Re: Heimdal and r* client programs

[Tillman Hodgson <tillman@seekingfire.com>]

On Thu, Aug 15, 2002 at 01:34:15PM -0500, Douglas E. Engert wrote:
> Tillman Hodgson wrote:
> > If I could have an ssh login to a perimeter server also request and
> > store the TGT, then I can log in once to the network from the outside
> > (in a secure fashion via ssh) and have single sign-on from there on.
> 
> Yes, forwarding of a ticket, or with GSS its called delegation. 
> 
> > Eliminating the need for users to do a k5init would be great.
> 
> We do that with GSSAPI and SSHD can get an AFS token for you too.

I'm running into a problem - the FreeBSD openssh-portable w/GSSAPI patch
doesn't appear to be working the way I'd expect it to.

I modified the /usr/local/etc/ssh/sshd_config on athena (a currently
working Kerberized server) to include:

 KerberosAuthentication yes
 KerberosTicketCleanup yes
 GssapiAuthentication yes
 GssapiKeyExchange yes
 GssapiUseSessionCredCache yes

and ran /usr/local/sbin/sshd on port 8022 (so it wouldn't conflict with
the existing sshd). Here's what I tried to test it:

1. Ran a k5destory and a k5list to confirm that I did not have a ticket

2. Ran '/usr/local/bin/ssh -2 -p 8022 localhost' ... oddly, I got a
   password prompt that only took my system (rather than Kerberos)
   password

3. Ran k5list to see if I had a ticket created - I didn't

I then tried grep'ing (with -i) for 'kerb' and 'gss' in the source tree
to see if anything stood out, but I didn't see anything noteworthy. I
suspect I'm missing some obvious steps somewhere. Can someone post a
working sshd_config or point our any errors I have?

Thanks muchly,

- Tillman

-- 
Nature commits no errors; right and wrong are human categories.
	- Pardot Kynes, Arrakis Lectures