HPE Community
Operating System - HP-UX
1829752 Members
1769 Online
109992 Solutions
New Discussion

SSH gss_krb5_copy_ccache failing

 
Mike Culbertson
New Member

‎01-22-2010 12:23 PM

‎01-22-2010 12:23 PM

SSH gss_krb5_copy_ccache failing

We're using SecureShell (a couple different versions, 5.0 and the latest 5.3) on 11.23 and 11.31. When authenticating via GSSAPI, the auth itself works fine but kerberos credentials are not successfully being delegated to the destination server. Running sshd in debug shows this error:

gss_krb5_copy_ccache() failed

And that's about it. The kerberos creds coming from the client have all the necessary flags for forwarding and delegation (FPRAT, to be specific). And, when SSHing to other machines using the exact same ssh client and credentials (a mixed bag of Solaris and Linux), delegation works fine and we end up with the expected credentials on the destination server.

Also, kerberos otherwise works fine on the HP-UX boxes. We can kinit, and ssh out from them and the tickets are forwarded as expected. The problem seems to exclusively affect sshd when it tries to store incoming credentials.

The only other references I've found to this error were client issues, and we've eliminated the client as the problem so we're all but stumped at this point.

Any ideas?
0 Kudos
Reply
4 REPLIES 4
Michal Kapalka (mikap)
Honored Contributor

‎01-22-2010 12:28 PM

‎01-22-2010 12:28 PM

Re: SSH gss_krb5_copy_ccache failing

hi,

check this link :

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1285607

mikap
0 Kudos
Reply
Mike Culbertson
New Member

‎01-22-2010 12:38 PM

‎01-22-2010 12:38 PM

Re: SSH gss_krb5_copy_ccache failing

That ITRC post is actually the other reference we found to a similar issue, except that was a client issue with PuTTY. In our case, the client is OpenSSH, and using the exact same client and server configs between other machines, the credentials are forwarded as expected.

The end result of that post also seemed to be that they made the error go away by simply turning off delegation on the client, but they didn't actually get credential forwarding to work.
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎01-22-2010 05:22 PM

‎01-22-2010 05:22 PM

Re: SSH gss_krb5_copy_ccache failing

Does the sshd server have GSSAPIDelegateCredentials enabled?
0 Kudos
Reply
Mike Culbertson
New Member

‎01-25-2010 10:23 AM

‎01-25-2010 10:23 AM

Re: SSH gss_krb5_copy_ccache failing

Yes, both the server and the client have full krb5/gssapi options enabled:

Server:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Client:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Also to clarify, using the exact same sshd_config+ssh_config on other platforms, delegation works as expected.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.