[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: problem for openssh and pam



Thanks for helping me to solve my problem about kerberos and openssh.

I have installed required rpms for Rh7.1 :
openssh-2.9p2-1eds.i386.rpm
openssh-server-2.9p2-1eds.i386.rpm openssh-client-2.9p2-1eds.i386.rpm
from   Simon Wilkinsn Site.

I have configured sshd_config and ssh_config to enable kerberos
Authentication
but I have got the same error  in running sshd: Bad configuration
option :
 kerberos Authentication

I have installed openssh-3.0.2p1 and related patches for kerberos
(openssh-3.0.2p1-krb5.patch and openssh-3.0.2p1-gssapi.patch )

In compiling I have enabled kerberos but it gives me an error for
"  not finding krb.h  " .So I couldn't install openssh3.0.2 from tar
file.

If I am wrong in some phases please tell me , or any suggestions ?
I really appritiate any help.
Regards.
Sara


Steve Langasek wrote:

> On Wed, Feb 13, 2002 at 02:50:46PM -0800, sara sodagar wrote:
> > Hi
> > I am using RH7.1 .I want to setup a Kerberos 5 client with
> > Kerberos-enabled OPENSSH.
>
> > I have installed following rpms:
>
> > openssh-2.9p2-11.7
> > openssh-client-2.9p2-11.7
> > openssh-server-2.9p2-11.7
>
> > pam-0.74-22
> > pam-krb5-1.31-1
> > pam-devel-0.74-22
>
> > krb5-devel-1.2.2-12
> > krb5-libs-1.2.2-12
> > krb5-workstation-1.2.2.12
>
> > I have attached my /etc/pam.d/sshd and /etc/pam.d/system-auth .
> > I run kinit and then  want to ssh to another kerberized machine
> > without a password , but it promts to me for password.
>
> You're using the wrong tools for the job.  pam_krb5 does NOT provide
> passwordless access to remote Kerberized servers; it only verifies
> provided passwords against a KDC by requesting a TGT on the user's
> behalf.
>
> If you want passwordless, Kerberized SSH, you should look at Simon
> Wilkinson's external-keyx patches to OpenSSH.  There are several
> different Kerberos options for SSH, but I understand this one is
> considered the cleanest.  You will have to change both your ssh client
> and your ssh server (as Kerberos must be supported on both sides).
>
> Steve Langasek
> postmodern programmer
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []