Re: OpenSSH: Password/Key + Kerberos Authentification

From: Vladimir Terziev (vladimir.terziev@sun-fish.com)
Date: 02/06/03

  • Next message: Erwann Abalea: "Re: OpenSSH and OpenSSL"
    Date: Thu, 6 Feb 2003 09:42:01 +0200
    From: Vladimir Terziev <vladimir.terziev@sun-fish.com>
    To: secureshell@securityfocus.com
    
    

      In fact support for Kerberos 5 in distribution sources of OpenSSH is limited only to talk to KDC and get the Kerberos ticket from it. If you want to use a kerberos ticket received from the KDC with ``kinit'' command, you can't, because OpenSSH doesn't support ticket forwarding in it's original distribution. To use a ticket forwarding you have to apply a Simon Wilkinson's GSSAPI patches for OpenSSH.
      Aditionally to have both Kerberos and Password anthentication in OpenSSH you have to set sshd_config's option ``KerberosOrLocalPasswd'' to ``yes''.

            good luck

                    Vladimir

    On Sun, 2 Feb 2003 21:56:12 +0100 (MET)
    U.Kerzel@gmx.net wrote:

    > Dear Sir,
    >
    > we would like to set up a sshd such that it accepts both the usage of
    > passwords and keys as well as kerberos tickets.
    > The idea is that users trying to connect get accepted if
    > a) they have a valid kerberos ticket
    > or
    > b) their key is stored in authorized_keys
    > or
    > c) they enter a valid password
    >
    > We have been trying to set this up but got only that far that as soon as
    > Kerberos tickets were used as authentification method,
    > nomal passoword/key login was no longer possible.
    >
    > The machine runs under a RedHad based Linux, Vanilla kernel 2.4.20 from
    > kernel.org and
    > OpenSSh version SSH-2.0-OpenSSH_3.5p1f1 is used.
    >
    > Any hint how to set this up would be most welcome.
    >
    > Kind regards,
    >
    > Ulrich
    >
    > --
    > w
    >
    > +++ GMX - Mail, Messaging & more http://www.gmx.net +++
    > NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
    >
    >
    >