# FreeBSD SSH client / Kerberos doesn't work



## mattsaccount (Feb 12, 2012)

SSH to another Linux box from FreeBSD 9 does not seem to work with Kerberos.  Probably a configuration problem -- any suggestions?

Parts of the following files/output are censored.  The realm name is used consistently throughout and is always ALL_CAPS.

kinit/kinit/kdestroy seem to work fine:


```
> klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: XXXX@REMOTE_REALM

  Issued           Expires          Principal
Feb 12 13:15:27  Feb 12 23:15:27  krbtgt/REMOTE_REALM@REMOTE_REALM
...
```

ssh results:


```
OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503, OpenSSL 0.9.8q 2 Dec 2010
debug1: Reading configuration data /etc/ssh/ssh_config
... <TRUNCATED> ...
debug2: key: /root/.ssh/id_dsa (0x0)
debug2: key: /root/.ssh/id_ecdsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
```

ssh_config:


```
Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
#   BatchMode no
#   CheckHostIP no
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   VersionAddendum FreeBSD-20110503
```

*ssh -V*

```
OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503, OpenSSL 0.9.8q 2 Dec 2010
```

*kinit --version*

```
kinit (Heimdal 1.1.0)
Copyright 1995-2008 Kungliga Tekniska Holan
Send bug-reports to [email]heimdal-bugs@h5l.org[/email]
```
Thanks for any input!


----------

