Q: Why don't I get Kerberos tickets or AFS tokens when I connect to a Debathena machine via ssh?
- Why do I get "Permission denied" errors when trying to access my home directory after ssh'ing to a Debathena machine?
- Why do I get one of the following errors when trying to login to a Debathena machine via ssh?
- Could not chdir to home directory /mit/joeuser: Permission denied
- /mit/joeuser/.bash_login: Permission denied
- mailquota: Cannot authenticate to PO12.MIT.EDU
- from: Cannot authenticate to PO12.MIT.EDU
Context
- Debathena workstations
- Remote access (ssh)
Answer
ssh on Athena is configured not to send Kerberos tickets to the remote server by default. To log into a trusted Athena server that requires Kerberos tickets, you must either type your Kerberos password, or use ssh -K to send a copy of your local tickets. If you wish to make this your default setting, please see How do I configure SSH to always delegate my Kerberos tickets?
Details:
When you connect to a Debathena machine via ssh, you can be authenticated in one of several ways. The two most common are GSSAPI (Kerberos) or Keyboard Interactive (typing a password). If you have valid Kerberos tickets on the machine you're connecting from, they will be used to authenticate you to the Debathena machine. However, those tickets will not be forwarded to the Debathena machine by default. This means that although you have logged in to the Debathena machine, you won't have access to your home directory.
To change this, you will need to ensure that you delegate (forward) your tickets to the remote machine when you initially connect via ssh, which is done by providing the -K option to ssh.