Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Can't get kerberos5/afs working well
August 13, 2004, 12:32 pm
rate this thread
I have a mixed linux lab. A server based on debian (ssh 3.4p1) and
clients based on gentoo (ssh version 3.8p1). My infrastructure is based
on mit kerberos 5 and openafs. All I'd like to do is to make ssh
sessions passwordless, based on the tickets. On both systems I use pam
authentication via libpam-krb5 and gain the token via
libpam-openafs-session && aklog (the debian packages). The pam_krb5.so
module has flags ``use_first_pass forwardable''.
Now, how do I enable passwordless ssh GAINING the correct tickets and
tokens? Those are my settings:
=== ssh 3.8p1 sshd_config excerpt:
=== ssh 3.8p1 ssh_config excerpt:
=== ssh 3.4p1 sshd_config excerpt:
=== ssh 3.4p1 ssh_config excerpt:
Error: Keyboard not found. Press F1 to continue...
- Richard E. Silverman
August 13, 2004, 1:24 pm
Re: Can't get kerberos5/afs working well
There's a problem with sshd in 3.7x and 3.8x whereby credentials
established during the PAM authentication phase are not
passed on to the user's shell. The authentication works but
you won't end up with a Kerberos ticket or AFS token. See:
* Don't use PAM for sshd password authentication, use vanilla
* Rebuild sshd with threading (not recommended, and use 3.8.1p1 if you
* Use PasswordAuthentication via PAM. (This is not available in 3.7x
or 3.8x, however it will be available in the upcoming 3.9x release and
some vendors have already backported it to their 3.8x packages).
3.9 will be out soon (most likely within a week). I would either wait
for 3.9 (test a snapshot to see if it resolves your problem) or ask my
vendor about backporting the PAM+PasswordAuthentication patch if they
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum