If your are using Kerberos, then you need PasswordAuthentication yes in the sshd_config also. If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config and ssh_config. That is if your using ssh wf and don't expect a prompt for a password. The following is using GSSAPI (First a failure as no ticket). $ ssh me@rhea Permission denied (publickey,gssapi-with-mic,keyboard-interactive). $ kinit me me@xxxxxxxxx's Password: $ ssh me@rhea Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. $ egrep "Authen" /etc/ssh/sshd_config # Authentication: PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes $ ^D Connection to rhea closed. $ hostname pandora.xxx.me.uk Regards Nigel Taylor Julius wrote: > Hi, > > im just starting with kerberos, so im probably missing something obvious > here. > > server: > PasswordAuthentication no > KerberosAuthentication yes > KerberosOrLocalPasswd no > KerberosTicketCleanup yes > > > client: (night:crawler 192.168.10.102) > ~/.ssh/config > GSSAPIAuthentication yes > > client: > [kerberos-test@night_crawler ~]$ kinit kerberos-test > kerberos-test@xxxxxxxxxxxxxx's Password: > [kerberos-test@night_crawler ~]$ klist > Credentials cache: FILE:/tmp/krb5cc_1013 > Principal: kerberos-test@xxxxxxxxxxxxxx > > Issued Expires Principal > Nov 27 13:14:34 Nov 27 23:14:34 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx > > > > ssh wf > Permission denied (publickey,gssapi-with-mic). > > > klist > Credentials cache: FILE:/tmp/krb5cc_1013 > Principal: kerberos-test@xxxxxxxxxxxxxx > > Issued Expires Principal > Nov 27 13:14:34 Nov 27 23:14:34 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx > Nov 27 13:15:03 Nov 27 23:14:34 host/wf.localdomain.de@xxxxxxxxxxxxxx > > > > server: > kdc.log > 2008-11-27T13:14:34 sending 493 bytes to IPv4:192.168.10.102 > 2008-11-27T13:14:34 AS-REQ kerberos-test@xxxxxxxxxxxxxx from > IPv4:192.168.10.102 for krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx > 2008-11-27T13:14:34 Client sent patypes: encrypted-timestamp > 2008-11-27T13:14:34 Looking for PKINIT pa-data -- > kerberos-test@xxxxxxxxxxxxxx > 2008-11-27T13:14:34 Looking for ENC-TS pa-data -- > kerberos-test@xxxxxxxxxxxxxx > 2008-11-27T13:14:34 ENC-TS Pre-authentication succeeded -- > kerberos-test@xxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96 > 2008-11-27T13:14:34 Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, > des-cbc-md5, des-cbc-md4, des-cbc-crc > 2008-11-27T13:14:34 Using > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 > 2008-11-27T13:14:34 AS-REQ authtime: 2008-11-27T13:14:34 starttime: > unset endtime: 2008-11-27T23:14:34 renew till: unset > 2008-11-27T13:14:34 sending 688 bytes to IPv4:192.168.10.102 > 2008-11-27T13:15:03 TGS-REQ kerberos-test@xxxxxxxxxxxxxx from > IPv4:192.168.10.102 for host/wf.localdomain.de@xxxxxxxxxxxxxx > [canonicalize] > 2008-11-27T13:15:03 TGS-REQ authtime: 2008-11-27T13:14:34 starttime: > 2008-11-27T13:15:03 endtime: 2008-11-27T23:14:34 renew till: unset > 2008-11-27T13:15:03 sending 683 bytes to IPv4:192.168.10.102 > > > > > after the ssh connect the principal wf (ssh server) is listed, but why > is ssh not connecting? > >
