Problem with latest OpenSSH and Wilkinson's Kerberos patch

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I built and installed an MIT KDC, OpenSSH 4.2p1 (built with S.
Wilkinson's GSSAPI/Kerberos patch), and changed relevant settings in
sshd_config, however OpenSSH is still prompting me for a password (I
want single sign-on).  Running on Debian Linux.  Here's the flow:

user%  kinit <user>  [get a TGT]
user%  klist  [dumps my TGT, looks fine]
[SSH asks for password and I Ctrl+C out]

In the debug dump, I can see the SSH client sending a GSSAPI stream
which the sshd appears to be ignoring.  It does, however, obtain a TGS
in the process, which is a good sign, but there's still no single
sign-on.  I tried short hostname and FQHN, same result.  The keytab
contains principals for both flavors.

I have a suspicion that it might have something to do with cipher
mismatch?  I don't tell KDC what enctypes to generate, so it does 3DES
by default.  I thought OpenSSH also supports 3DES, and  specifically
uncommented the "Cipher 3des" line in ssh_config, but still no luck.

Any ideas?  TIA!

Site Timeline