Requires OpenSSH 3.9
Ships with Fedora Core 3.

For Fedora Core 2:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/FC2/

bash-2.05b# rpm -qa | grep openssh
openssh-askpass-gnome-3.9p1-1fc2
openssh-askpass-3.9p1-1fc2
openssh-clients-3.9p1-1fc2
openssh-3.9p1-1fc2
openssh-server-3.9p1-1fc2


**********
* server
**********
/etc/hosts

127.0.0.1      www.example.com server1 localhost.localdomain localhost
192.168.0.100  kerberos.example.com


passwd:
erodriguez:x:500:500::/home/erodriguez:/bin/bash
akarasulu:x:501:501::/home/akarasulu:/bin/bash

shadow:
erodriguez:*K*:12819:0:99999:7:::
akarasulu:*K*:12821:0:99999:7:::

/etc/ssh/sshd_config

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
 
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

[root@www ~]# date
Sat Feb  5 16:25:27 EST 2005

[root@www ~]# hostname www.example.com

[root@www ~]# ktab -a host/www.example.com randall
Done!
Service key for host/www.example.com is saved in /root/krb5.keytab

[root@www ~]# mv /root/krb5.keytab /etc

[root@www ~]# ls -la /etc/krb5.keytab
-rw-r--r--  1 root root 65 Feb  5 15:32 /etc/krb5.keytab

[root@www ~]# /usr/sbin/sshd -p 2222 -d -d -d

For Linux logins, run authconfig, which edits:  /etc/pam.d/system-auth

If you see an error in /var/log/messages that says:

  Authentication failure (KDC reply did not match expectations)

you will need to adjust the renew lifetime of the tickets you are requesting in /etc/krb5.conf:

[appdefaults]
 pam = {
   renew_lifetime = 0
 }


**********
* client
**********
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

/etc/hosts

127.0.0.1       server2 localhost.localdomain   localhost kerberos.example.com
192.168.0.2     www.example.com server1


bash-2.05b# date
Sat Feb  5 16:25:27 EST 2005

** The '-f' flag will request a FORWARDABLE ticket.

** The '-A' flag will request a ticket that is not bound to a client IP address, which is useful if you run into problems if you have SSHD or Kerberos on localhost.  You can run into problems where SSH thinks you are on 127.0.0.1 but Kerberos gives you a ticket for your eth0 IP, say 192.168.0.2.  Using the '-A' flag will take this problem out of the picture.

bash-2.05b# kinit -A -f
Password for erodriguez@EXAMPLE.COM:kerby
New ticket is stored in cache file /tmp/krb5cc_0

bash-2.05b# klist -f

Credentials cache: /tmp/krb5cc_0

Default principal: erodriguez@EXAMPLE.COM, 2 entries found.

[1]  Service Principal:  krbtgt/EXAMPLE.COM@EXAMPLE.COM
     Valid starting:  Feb 05, 2005 15:28
     Expires:         Feb 06, 2005 15:28
         Flags:           FORWARDABLE
[2]  Service Principal:  host/www.example.com@EXAMPLE.COM
     Valid starting:  Feb 05, 2005 15:28
     Expires:         Feb 06, 2005 15:28
         Flags:           FORWARDABLE

bash-2.05b# ssh -p 2222 -v -v -v -l erodriguez www.example.com

bash-2.05b# ssh -l erodriguez www.example.com