[HCoop-Help] permission problems (ssh access with passwordless login)

Adam Megacz megacz at hcoop.net
Mon Jun 29 20:31:34 EDT 2009 

Hi, Andrew.

Could you please send the output of this exact command sequence?

  kinit andrew at HCOOP.NET
  klist
  ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes andrew at mire.hcoop.net
  klist

(the last command will be executed on mire)

Thanks

  - a



Andrew T <andrew at hcoop.net> writes:
> I am using mit-krb5 1.6.3 on gentoo and trying to follow the "Instructions" at
> http://wiki.hcoop.net/MemberManual/ShellAccess/PasswordlessLogin.
>
> When I ssh to mire using a standard password login everything works
> fine. When I ssh to mire using kereberos credentials, the login
> succeeds but I don't automatically get write access to my home
> directory from my login shell. Any suggestions? Why aren't my kerberos
> credentials being forwarded to mire's AFS?
>
> Andrew
>
> $  kinit andrew at HCOOP.NET     # get kerberos ticket
> Password for andrew at HCOOP.NET: ********
> $ klist  # confirm that we have tickets
> Ticket cache: FILE:/tmp/krb5cc_1001
> Default principal: andrew at HCOOP.NET
>
> Valid starting     Expires            Service principal
> 06/29/09 16:19:27  06/30/09 02:19:27  krbtgt/HCOOP.NET at HCOOP.NET
>        renew until 06/30/09 16:19:24
> $ cat ~/.ssh/config  # my local configuration for a passwordless mire login
> # need to "kinit andrew at HCOOP.NET first"
> Host hcoop
>  HostName mire.hcoop.net
>  GSSAPIAuthentication yes
>  GSSAPIDelegateCredentials yes
>  GSSAPITrustDns no
>  User andrew
>
> $ ssh -v hcoop  # do passwordless mire login
> OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /home/andrew/.ssh/config
> debug1: Applying options for hcoop
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to mire.hcoop.net [69.90.123.68] port 22.
> debug1: Connection established.
> debug1: identity file /home/andrew/.ssh/identity type -1
> debug1: identity file /home/andrew/.ssh/id_rsa type -1
> debug1: identity file /home/andrew/.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_4.3p2 Debian-9etch3
> debug1: match: OpenSSH_4.3p2 Debian-9etch3 pat OpenSSH_4*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'mire.hcoop.net' is known and matches the RSA host key.
> debug1: Found key in /home/andrew/.ssh/known_hosts:22
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> gssapi-keyex,gssapi-with-mic,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentication succeeded (gssapi-with-mic).
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> Last login: Mon Jun 29 16:18:34 2009 from 216.48.162.49
> Linux mire 2.6.23.14-grsec #1 SMP Mon Feb 11 18:39:15 EST 2008 i686
>
> andrew at mire:~$ klist # login worked but no credentials - did delegating work?
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10830)
> Kerberos 4 ticket cache: /tmp/tkt10830
> klist: You have no tickets cached
>
> andrew at mire:~$ touch ttt  # can't access home folder on mire because
> afs can't get credentials
> touch: cannot touch `ttt': Permission denied
>

--

More information about the HCoop-Help mailing list