[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: problem for openssh and pam



On Wed, Feb 13, 2002 at 02:50:46PM -0800, sara sodagar wrote:
> Hi
> I am using RH7.1 .I want to setup a Kerberos 5 client with
> Kerberos-enabled OPENSSH.

> I have installed following rpms:

> openssh-2.9p2-11.7  
> openssh-client-2.9p2-11.7
> openssh-server-2.9p2-11.7

> pam-0.74-22
> pam-krb5-1.31-1
> pam-devel-0.74-22

> krb5-devel-1.2.2-12
> krb5-libs-1.2.2-12
> krb5-workstation-1.2.2.12

> I have attached my /etc/pam.d/sshd and /etc/pam.d/system-auth .
> I run kinit and then  want to ssh to another kerberized machine
> without a password , but it promts to me for password.

You're using the wrong tools for the job.  pam_krb5 does NOT provide 
passwordless access to remote Kerberized servers; it only verifies 
provided passwords against a KDC by requesting a TGT on the user's 
behalf.

If you want passwordless, Kerberized SSH, you should look at Simon 
Wilkinson's external-keyx patches to OpenSSH.  There are several 
different Kerberos options for SSH, but I understand this one is
considered the cleanest.  You will have to change both your ssh client
and your ssh server (as Kerberos must be supported on both sides).

Steve Langasek
postmodern programmer

Attachment: pgp00002.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []