From owner-freebsd-questions@freebsd.org Wed Jan 25 07:25:58 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 07583CC03B2 for ; Wed, 25 Jan 2017 07:25:58 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8ED93DBA for ; Wed, 25 Jan 2017 07:25:57 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: by mail-wm0-x244.google.com with SMTP id d140so40682386wmd.2 for ; Tue, 24 Jan 2017 23:25:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=n+JjeUFByU71gSuc8X+R30YmbcViAqgL8w3yAvRNNC0=; b=NzrKTZL8tbXPkuApiafO8o9YgixseMBfNkTr0tkesqax4f/f/Y9gOHoTDox1MzlPif PyMERjJ/mR+e9oTCszh56di6iIgVktI32VZrJiDF5Tb7d9rRrOIpq2Y0X1pPdF8DbcaL sl6N1PvM60WZkMQh1gcyHa4qDWm6bFKqpo7tnRm9w3IrpndWoh0pEzTbfVAH1aBGTiMX +ihND/LDWELlZk3tQOSvCHOfm78LtGUBOYQAmyzQfOZ+L4BPlqj9sM66TZt9mLHTWk9O EvOf0AepUvZ6ZyJm1ZNElFlPw8uzR9cWCwUHNFvf+KFgMk8xCk5Gi7u1mpdhyQ7jCvwm ZXlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=n+JjeUFByU71gSuc8X+R30YmbcViAqgL8w3yAvRNNC0=; b=dYAZW21tDcnkXxC8Y0avwYcGRntTU3XCSi72fKmfEMYaaLl4Ii9ugjYGrZtbqWbO4W 2sHPZeZ9WzWPWHZIAi735yAA4NfBW93teY8Y7dib4zuoJQ0cn/gV8++2kkvl/nZTs34L +iHxotwjc23UVTezCb/CyI23j/NLTwFWK2i4sbBpC02xkxR7mOX949P41GgZWalB/2c2 oVKK3JDVfrYo/epWJAUdhHoOzyWjWuE19D00ViVdWYZfILCcgNbVE6bWQek2bmESo6nX 8vjN7ut2UZWfLLEkx4vzIR4xdt2B9ot01eSzQ3IOXnUwKyjg5TMIzlWtA108FiUaePwQ A1gQ== X-Gm-Message-State: AIkVDXIW5YpETUuZPR1wpWVpcNiCYF4/0P37amA84tey8F3xL+YGnpfEnCGd0YFChdJ5HA== X-Received: by 10.28.74.221 with SMTP id n90mr19867941wmi.114.1485329155393; Tue, 24 Jan 2017 23:25:55 -0800 (PST) Received: from localhost (23.red-81-35-47.dynamicip.rima-tde.net. [81.35.47.23]) by smtp.gmail.com with ESMTPSA id o143sm30036893wmd.3.2017.01.24.23.25.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jan 2017 23:25:54 -0800 (PST) Date: Wed, 25 Jan 2017 07:25:52 +0000 From: "C. L. Martinez" To: freebsd-questions@freebsd.org Subject: SSH with kerberos auth doesn't provide a ticket Message-ID: <20170125072552.wrcbygdm6rbxtkhy@stonehaven.uxdom.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: NeoMutt/20161126 (1.7.1) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2017 07:25:58 -0000 Hi all, I have a strange problem with ssh when kerberos auth is used. We have three kerberos servers based on MIT kerberos. I have configured a FreeBSD 11-RELEASE virtual guest to authenticate against these kerberos servers. Auth works ok, but ssh doesn't request a kerberos ticket (I am connecting from a Windows 10 workstation with putty): cokk@bsdext01:~ % klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) clopez@bsdext01:~ % I have enabled th following options in sshd_config: # Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes It is strange because this "problem" only appears with FreeBSD, all others linux doesn't have this problem. What am I doing wrong? Thanks -- Greetings, C. L. Martinez