Kerberos 5 authentication without password?
- From: Jeff Blaine <jblaine@xxxxxxxxxxxx>
- Date: Mon, 22 May 2006 21:41:30 -0400
First a question whose answer may negate the rest of the
Q: Is it possible to configure OpenSSH to allow a user
coming from host X, with a valid TGT there, to login
without being asked for a password... without using
SSH's public key crypto for that password-less auth?
That is, I want OpenSSH authentication to be based on
the presence of a valid Kerberos 5 TGT incoming. This
can be seen in action when using MIT Kerberos' telnet
-a -F and telnetd.
Assuming the answer to that is, "Yes, that is reasonable
and doable.", I am having one hell of a time getting it
0. A Kerberos 5 realm up and working fine. It is a
single testbed machine acting as KDC, application
server, and client host to itself.
1. OpenSSH 4.3p2 built successfully
2. sshd from above functioning generally fine
3. sshd_config with (varies...):
Subsystem sftp /export/home/libexec/sftp-server
4. A *recompiled* sshd which includes many calls to
debug() in auth-krb5.c (it comes with ~1 debug() call
5. sshd -d shows *zero* sign of *my* debug() calls being made
after very necessary and simple krb5 init calls, but I do
see "debug1: krb5_cleanup_proc called" when I exit my
successful shell (requires password...).
6. The only way I can get *any* form of connection right
now with sshd is to set PasswordAuthentication to 'yes'
(it says no above from when I was testing). This at
least asks me for a password, lets me in, and sets me
up with my TGT in the new shell.
7. I have tried all manner of sshd_config options I can
think of that make any sense to me.
- Prev by Date: Bud in Openssl when used with Openssh and PADLs nss_ldap
- Next by Date: Two-hops SSH tunnelling
- Previous by thread: Bud in Openssl when used with Openssh and PADLs nss_ldap
- Next by thread: Re: Kerberos 5 authentication without password?