On Срд, 11 чэр 2025, Household Cang via openssh-unix-dev wrote: > Hello, > > I am trying to use Kerberos ticket from one AD-joined machine to login > to another AD-joined machine without passwords. > > I passed -o GSSAPIAuthentication=yes to ssh on client and export > KRB5_TRACE=/dev/stdout to print out the debug message. It shows me > Creating authenticator for user@xxxxxxxxxx -> > host/hostname.domain@domain.realm. All good there. > > On the server side, I have GSSAPIAuthentication=yes in sshd_config, > DEBUG3 set, and there keeps an error message of debug1: No credentials > were supplied, or the credentials were unavailable or inaccessible. > No key table entry found matching host/hostname.domain@(empty ?) > > I am confused as to why sshd decides to drop the @domain.realm part. > There is no host/hostname.domain@ entries in klist, so is there a way > to debug or force the sshd to honor what the client has sent? At least MIT Kerberos uses @ without realm to indicate that realm is currently not specified or will be discovered. It would help to see the full trace. You can obfuscate hostname and realm somehow but in a consistent way. Another thing to check is the content of the keytab used. Kerberos names are case-sensitive, both principal names and realm names, so there might be differences with the keys in the keytab. Can you show output of `klist -k` (assuming it is the default /etc/krb5.keytab)? -- / Alexander Bokovoy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
