Kerberos token forwarding with ssh on ubuntu

Posted on October 17, 2009. Filed under: Uncategorized | Tags: , , , , , , , |

At work, linux machines running the standard linux installation support kerberos token forwarding via ssh. This is very convenient as it allows to obtain a kerberos ticket and then e.g. run scripts which run on my desktop and the login to the computer farm to perform some tasks. However, this does not work out of the box with Ubuntu (at least not with Hardy Heron). I’ve been looking for a solution since a long time (I even copied the ssh executable and dependent libraries from a node with the standard installation to my desktop but obviously this is not a very elegant solution).

Now I finally found out how to make this work ! (amongst others thanks to this page). In fact, I compared the output of ssh -vvv between logging in from my desktop and logging from in from a node where token forwarding works. I noticed that at some point (when logging in from Ubuntu), I see:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: An invalid name was supplied
No error

On the link mentioned above I saw that there is an option


which one could give to ssh (either with -o on the command line for testing or in ~/.ssh/config once one wants to use the option permanently). Indeed, this solved the problem (it seems to work around a bug of ssh with round robin DNS hosts, i.e. several hosts sharing the same host name alias where load balancing is implemented by the domain name server). The above error message in the debug output disappears. In order also to have access to my afs directory on the destination host, I also needed to add the option


Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: