[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: kerberos&ssh



On Sun, Feb 03, 2002 at 09:19:32AM -0800, behnaz wrote:
> I want to set up a kereros 5 client with kerberos-enbled openssh.I have configured 
> /etc/krb5.conf and /etc/pam.d/sshd and I have performed all necessary steps but
> when i run kinit and try to ssh to this machine i can't authomatically login without password.

PAM (or pam_krb5) can't perform passwordless logins using Kerberos.  The
pam_krb5 module provides authentication using a password and a means to
get initial credentials at login-time, but that's not sufficient for doing
what you want (because the module *needs* a password to be entered in
order to do its job).

To properly support Kerberos, your SSH client and server need to support
Kerberos as a separate authentication method (alongside, say, using public
keys).  To my knowledge, neither SSH nor OpenSSH provide this in their
default source trees.

If you're using patches which add GSSAPI authentication to OpenSSH (I
use Simon Wilkinson's, I don't know of others), then PAM isn't going to
be involved at all.

To use Simon's patches, you'll need a keytab on the SSH server with the
proper key (for host/hostname@REALM) in it, and the server's sshd_config
file will need to include these configuration directives:

GssapiAuthentication yes
GssapiKeyExchange yes
GssapiUseSessionCredCache yes

HTH,

Nalin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []