SecureCRT for Kerberos login to root accounts

Passwordless server logins using Kerberos and SecureCRT

In the default SecureCRT configuration, you will be given a shortcut to login to athena.dialup.mit.edu as yourself, using the Kerberos tickets in your environment. If you have been given access to the root (or another named account) on a server that requires Kerberos authentication to login (such as Server Operations's Managed Server offering), you will need to further configure SecureCRT to specify the protocol and account name.

Prerequisites

• Non-user-level access to a Managed Server or other server configuration.
• MIT Kerberos utility installed with valid tickets. http://kb.mit.edu/confluence/display/istcontrib/MIT+Kerberos+for+Windows+4.0.x+-+Installation+Instructions

Instructions

To create a new connection with SecureCRT:

1. Click on the Quick Connect button, the one with the lightning bolt.
   
2. Fill in the Hostname and Username fields, with the username being the account you are logging into. You don't have to identify yourself explicitly - your name is part of your Kerberos tickets.
3. In the list of authentication methods, select GSSAPI and move it to the top of the list.

Once you have connected like this once, the hostname you connected to should appear in your list of choices within SecureCRT.

If you are still spuriously prompted to enter your password, check under Options > Session Options > Key Exchange and enable the ciphers ciphers: diffie-hellman-group, diffie-hellman, kerberos, kerberos (Group Exchange), and diffie-hellman-group14 (all checked, in that order) as shown:

See Also

MIT Kerberos for Windows 4.0.x - Getting Kerberos Tickets (Basic)