Sept. 24, 1997
James DODD wrote:
>
> Hi Doug,
>
> I have been trying to make ssh work with kerberos 5 patchlevel 1 as
> described in Jim Rome's page "How to Kerberise Your Site".
> I configured and built ssh with the appropriate krb5/tgt forwarding
> options as demonstrated, but cannot get ssh to authenticate via kerberos.
> I get something like "Kerberos V5 krb5_fwd_tgt_creds failure (Cannot
> contact any KDC for requested realm)" after a few seconds of inactivity,
> and the same error when trying normal kerberos authentication.

There are two ways ssh can use Kerberos:

 o (1) Like login.krb5, where it accepts a pasword over the network,
   and gets you a ticket.

 o (2) Much like rlogind where it accepts a Kerberos ticket and maybe
   a forwardable ticket.

In case 1, it will also attempt to validate the login, by
geting a ticket for the local host, host/<hostname>@realm This
might be your problem. I see that Bill responed to a note about
this.

> However, using the bog-standard kerberos5 tools (kinit etc) work fine,
> which confuses me.
> The KDC is on an AIX machine, and is actually a DCE registry.  Do I need
> to install your ssh patch to be able to make ssh interoperate with a
> DCE KDC?

No you don't need most of my mods to authenticate. But there
were two bugs, which the SSH people said there were going to fix:

------- auth-kerberos.c -------
230c230
<   (void) sprintf(ticket, "%s", ccname+5);
---
>   (void) sprintf(ticket, "%s", ccname);

------- auth-passwd.c -------
547,548c547,548
<             strcpy(ccname, krb5_cc_get_name(ssh_context, ccache));
<             (void) chown(ccname, pw->pw_uid, pw->pw_gid);
---
>             strcpy(ccname+5, krb5_cc_get_name(ssh_context, ccache));
>             (void) chown(ccname+5, pw->pw_uid, pw->pw_gid);
 
 

The other mods allow you to use the
Kerberos ticket from case (1) or the forwarded ticket from case 2
to get a DCE context and PAG for DFS and/or an AFS token. The base
kerberos
code should work, at least not give you the error messages above.

I had heard that the AIX security server does some strange things with
the FORWARDABLE flag, and this might be your problem.

You might want to try changing the line in auth-passwd.c:

 int krb5_options = KDC_OPT_RENEWABLE | KDC_OPT_FORWARDABLE;

to

int krb5_options = 0;

and see if you get further.
 
I also have a new set of mods which I got working late last week,
which use the k5dcecon.c routine with DCE. These only work
on AIX and Solaris currently, since only these systems have a
DCE setpag(newpag) function. HP and Cray/SGI say they are
adding this soon. ( I hope to package these up by the weekend.
 
 
>
> Some of my wording may be a bit off the mark because I'm a bit of a
> Kerberos/DCE beginner!  Please correct me!
>
> Thanks in advance, James Dodd
>
> //////////////////////////////////////////////////////////////////////////
> // James.Dodd@cern.ch : http://wwwcn1.cern.ch/~jdodd/ : +41 22 767 2854 //
> // European Laboratory for Particle Physics (CERN), Geneva, Switzerland //
> //////////////////////////////////////////////////////////////////////////

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444