I try to login onto a server which only supports login with kerberos authentication. Here's what I try:
kinit user@FOO.ORG
aklog -c foo.org
ssh server
But then I'm asked again for a password.
Here's what I have in my ~/.ssh/config for the entry server (my /etc/ssh/ssh_config is empty):
Host server
HostName someserver.foo.org
User user
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
According to colleagues, this (or something similar) is working for them. I can log onto other machines with kerberos tokens just fine. I assume it has something to do with my /etc/krb5.conf, but I do not know what to look for. I tried copying the /etc/krb5.conf from the server to my working station, but without success.
Here's part of the output if I run ssh -vvv server:
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we sent a gssapi-with-mic packet, wait for reply
How can I login with my local kerberos token? What am I doing wrong?
Best Answer
You probably need to add the server to the kerberos data base aka KDC by creating a principal for the machine itself.
If you are running Windows Active Directory with a KDC you can use the ktpass.exe to add the host to the KDC.
if you are running Windows or Linux Kerberos KDC you can use the ktutil command in a linux shell to at the principal to the kerberos database.