Why can’t I use Kerberos TGT forwarding when SSH’ing from a remote network?

A few possibilities:

  • Clock skew. Make sure ntp is installed.
  • OpenSSH versions differ too greatly, install the same version on both ends
  • You do not have both ‘GSSAPIAuthentication yes’ and ‘GSSAPIDelegateCredentials yes’ on the client ssh_config
  • The server does not have a /etc/krb5.keytab containing the key for host/server.fqdn.com
  • The server does not have ‘GSSAPIAuthentication yes’ and ‘GSSAPIKeyExchange yes’ in sshd_config
  • The client has a different reverse-DNS idea of the server’s fully-qualified domain name than the server does. Very common if the server is using a private DNS server but the client is using a public one. In this case, the client needs a ticket for host/server.domain.com but due to the reverse DNS lookup, requests one for host/ipaddr.isp.net instead. Either the same name server needs to be used by both server and client, or client needs to add server to his hosts file.
  • The server has an incorrect ordering on the line in the hosts file. It should be followed by FQDN followed by hostname followed by localhost.

Leave a Reply