Re: OpenSSH: Password/Key + Kerberos Authentification

From: Vladimir Terziev (vladimir.terziev@sun-fish.com)
Date: 02/06/03

  • Next message: Erwann Abalea: "Re: OpenSSH and OpenSSL" 
    Date: Thu, 6 Feb 2003 09:42:01 +0200
From: Vladimir Terziev <vladimir.terziev@sun-fish.com>
To: secureshell@securityfocus.com

      In fact support for Kerberos 5 in distribution sources of OpenSSH is limited only to talk to KDC and get the Kerberos ticket from it. If you want to use a kerberos ticket received from the KDC with ``kinit'' command, you can't, because OpenSSH doesn't support ticket forwarding in it's original distribution. To use a ticket forwarding you have to apply a Simon Wilkinson's GSSAPI patches for OpenSSH.
      Aditionally to have both Kerberos and Password anthentication in OpenSSH you have to set sshd_config's option ``KerberosOrLocalPasswd'' to ``yes''.

            good luck

                    Vladimir

    On Sun, 2 Feb 2003 21:56:12 +0100 (MET)
    U.Kerzel@gmx.net wrote:

    > Dear Sir,
    >
    > we would like to set up a sshd such that it accepts both the usage of
    > passwords and keys as well as kerberos tickets.
    > The idea is that users trying to connect get accepted if
    > a) they have a valid kerberos ticket
    > or
    > b) their key is stored in authorized_keys
    > or
    > c) they enter a valid password
    >
    > We have been trying to set this up but got only that far that as soon as
    > Kerberos tickets were used as authentification method,
    > nomal passoword/key login was no longer possible.
    >
    > The machine runs under a RedHad based Linux, Vanilla kernel 2.4.20 from
    > kernel.org and
    > OpenSSh version SSH-2.0-OpenSSH_3.5p1f1 is used.
    >
    > Any hint how to set this up would be most welcome.
    >
    > Kind regards,
    >
    > Ulrich
    >
    > --
    > w
    >
    > +++ GMX - Mail, Messaging & more http://www.gmx.net +++
    > NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
    >
    >
    >

    Relevant Pages

    • Re: kerberos TGS for an IP address
      ... Vista should use kerberos even for IP addresses, ... Because according to my long-taking tests, it doesn't use kerberos for IP addresses and it seemed to me as "by design" feature change. ... before contacting KDC or Service server. ... press Y to clear Kerberos tickets. ...
      (microsoft.public.windows.vista.security)
    • Re: Kerberos Access
      ... I access resources in an Active Directory domain from my laptop. ... is the best way to manage Kerberos tickets from GNOME3? ... there would be a Kerberos "online account", ...
      (GNOME)
    • sshd and Kerberos
      ... Kerberos and Kerberized NFS server. ... And there is a client machine. ... How to make sshd pam module create Kerberos tickets on login? ...
      (freebsd-questions)
    • Re: Use of Kerberos unreliable, can I force it?
      ... As far as i know the kerberos authentication is done during the logon, so after that there will be no additional check, the only way is to logon again in the network. ... tickets but they don't get Kerberos tickets even after ...
      (microsoft.public.windows.server.security)
    • OpenSSH: Password/Key + Kerberos Authentification
      ... passwords and keys as well as kerberos tickets. ... they have a valid kerberos ticket ... Kerberos tickets were used as authentification method, ...
      (SSH)