Kerberos 5 authentication without password?

Hello all.

First a question whose answer may negate the rest of the

Q: Is it possible to configure OpenSSH to allow a user
coming from host X, with a valid TGT there, to login
without being asked for a password... without using
SSH's public key crypto for that password-less auth?

That is, I want OpenSSH authentication to be based on
the presence of a valid Kerberos 5 TGT incoming. This
can be seen in action when using MIT Kerberos' telnet
-a -F and telnetd.

Assuming the answer to that is, "Yes, that is reasonable
and doable.", I am having one hell of a time getting it
to happen.

I have:

0. A Kerberos 5 realm up and working fine. It is a
single testbed machine acting as KDC, application
server, and client host to itself.

1. OpenSSH 4.3p2 built successfully

2. sshd from above functioning generally fine

3. sshd_config with (varies...):

LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
RSAAuthentication no
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
UsePrivilegeSeparation yes
Subsystem sftp /export/home/libexec/sftp-server

4. A *recompiled* sshd which includes many calls to
debug() in auth-krb5.c (it comes with ~1 debug() call

5. sshd -d shows *zero* sign of *my* debug() calls being made
after very necessary and simple krb5 init calls, but I do
see "debug1: krb5_cleanup_proc called" when I exit my
successful shell (requires password...).

6. The only way I can get *any* form of connection right
now with sshd is to set PasswordAuthentication to 'yes'
(it says no above from when I was testing). This at
least asks me for a password, lets me in, and sets me
up with my TGT in the new shell.

7. I have tried all manner of sshd_config options I can
think of that make any sense to me.

Relevant Pages

  • Multiple hostnames with same IP address (DNS A record)
    ... Is it possible to use Kerberos (specifically OpenSSH w/GSSAPI Key Exchange) on a system with 2 hostnames, but both hostnames have the same DNS A record and therefore the same IP address? ... The odd thing about this is it only fails when ssh'ing FROM a linux host. ...
  • OpenSSH and Kerberos Questions
    ... OpenSSH 3.8.1p1 and have question as wether I am doing it correctly. ... My first step was getting Kerberos 5 operational on all the systems ... GSSAPIAuthentication yes ... At this point I do not have forwardable credentials. ...
  • Re: Kerberos And Openssh 3.8p1 single sign-on
    ... GssapiAuthentication yes ... >> openssh implementation authorizing through kerberos. ... have you enabled credential forwarding? ...
  • Re: Kerberized SSH
    ... >>I have a kerberos 5 client with the ssh daemon installed on it. ... a "srvtab" is required anyway if the host will offer ... > for Kerberos-5 in protocol 2. ... OpenSSH latest version ...
  • locking down ssh
    ... PasswordAuthentication yes ... # Kerberos options ... GSSAPIAuthentication yes ... If this is enabled, PAM authentication will ...