[HCoop-Help] permission problems (ssh access with passwordless login)
Andrew T
andrew at hcoop.net
Mon Jun 29 16:42:47 EDT 2009
I am using mit-krb5 1.6.3 on gentoo and trying to follow the "Instructions" at
http://wiki.hcoop.net/MemberManual/ShellAccess/PasswordlessLogin.
When I ssh to mire using a standard password login everything works
fine. When I ssh to mire using kereberos credentials, the login
succeeds but I don't automatically get write access to my home
directory from my login shell. Any suggestions? Why aren't my kerberos
credentials being forwarded to mire's AFS?
Andrew
$ kinit andrew at HCOOP.NET # get kerberos ticket
Password for andrew at HCOOP.NET: ********
$ klist # confirm that we have tickets
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: andrew at HCOOP.NET
Valid starting Expires Service principal
06/29/09 16:19:27 06/30/09 02:19:27 krbtgt/HCOOP.NET at HCOOP.NET
renew until 06/30/09 16:19:24
$ cat ~/.ssh/config # my local configuration for a passwordless mire login
# need to "kinit andrew at HCOOP.NET first"
Host hcoop
HostName mire.hcoop.net
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns no
User andrew
$ ssh -v hcoop # do passwordless mire login
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/andrew/.ssh/config
debug1: Applying options for hcoop
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to mire.hcoop.net [69.90.123.68] port 22.
debug1: Connection established.
debug1: identity file /home/andrew/.ssh/identity type -1
debug1: identity file /home/andrew/.ssh/id_rsa type -1
debug1: identity file /home/andrew/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.3p2 Debian-9etch3
debug1: match: OpenSSH_4.3p2 Debian-9etch3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mire.hcoop.net' is known and matches the RSA host key.
debug1: Found key in /home/andrew/.ssh/known_hosts:22
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Mon Jun 29 16:18:34 2009 from 216.48.162.49
Linux mire 2.6.23.14-grsec #1 SMP Mon Feb 11 18:39:15 EST 2008 i686
andrew at mire:~$ klist # login worked but no credentials - did delegating work?
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10830)
Kerberos 4 ticket cache: /tmp/tkt10830
klist: You have no tickets cached
andrew at mire:~$ touch ttt # can't access home folder on mire because
afs can't get credentials
touch: cannot touch `ttt': Permission denied
More information about the HCoop-Help
mailing list