Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Enable SSH with Kerberos Network
I have a number of Macs and Red Hat servers running with sshd and kerberos (using an MIT KDC running on Red Hat). I can log onto any of these servers just fine with Tiger, but with Leopard, I cannot. I've set up kerberos on the Leopard client, and I can acquire a ticket. However, when I try to log on to a server, it appears that the client isn't even trying to send the kerberos ticket.

I will not take credit for the following solutions; they come from Apple Support. However, I've tested them both, and they worked for me.

10.5 disables gssapi authentication by default. You have to edit /etc/ssh_config, uncomment the line containing GSSAPIAuthentication and change no to yes. Engineering claims this change was made in 10.4.9 and later, but 10.4.10 and 10.4.11 allow gssapi authentication by default for me.

You can also run ssh -o GSSAPIAuthentication=yes to force GSSAPI authentication.
  • Currently 3.00 / 5
  You rated: 3 / 5 (4 votes cast)

10.5: Enable SSH with Kerberos | 3 comments | Create New Account
Click here to return to the '10.5: Enable SSH with Kerberos' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Enable SSH with Kerberos
Authored by: sabi on Dec 10, '07 07:28:00PM

If you're not an administrator you can use ~/.ssh/config instead of /etc/ssh_config. You may also want "GSSAPIDelegateCredentials yes" if the remote system uses AFS.

[ Reply to This | # ]
10.5: Enable SSH with Kerberos
Authored by: jweinberger on Mar 23, '08 02:54:06PM
I"m having difficulty trying to make this work...

I am connecting via SSH from a Mac running 10.5.2 (client) to a Mac running 10.4.11 (server) (both with Security update 2008-002 applied).

On the client mac, this was working for a while, then it suddenly stopped (unsure why - it worked one day, then not the next - I did reboot the server, but made no other changes to either Mac)

I have uncommented GSSAPIAuthentication yes in the ssh_config on the client. This was the default already, but to be explicit, I thought it might help.

I looked at sshd_config on the server and the default was GSSAPIAuthentication no so I uncommented it and changed it to GSSAPIAuthentication yes

This did not have any effect at all. Both before and after these changes, in response to ssh servername I get:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

It might help to know that I am using Public key authentication, following these instructions, which worked fine going 10.4.x to 10.4.x.:


Can anyone point me in the right direction to help overcome this? I'd very much appreciate it...

[ Reply to This | # ]
10.5: Enable SSH with Kerberos
Authored by: jweinberger on Mar 24, '08 05:14:56AM
update: I seem to have found a workaround, but still think there's something not working right.

The workaround:

On the server in sshd_config I changed Protocol 2 to Protocol 2,1 (which is the default).

Not sure why protocol 2 wouldn't work with DSA keys....

Any advice is helpful...thanks!

[ Reply to This | # ]