Dear list members,

I have setted openssh to work with kerberos. My initial ideia is to
permit credential (tickets) or login password (/etc/passwd). In order
to achieve so, i have the following (relevant part only)

GSSAPIAuthentication yes
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
PasswordAuthentication yes

I created a user with "*" password to force GSSAPI authentication.

I got surprised when without having pulled the ticket (and remenber,
with a "*" password entry in /etc/passwd) the user was still allowed
to login by providing a password (from the kerberos server principal)

Now, an explanation:


Use this directive to specify if a password must be accepted as proof
of identity at login. If KerberosAuthentication is disabled, the login
password is sufficient. However, when KerberosAuthentication is also
enabled, the Kerberos Server password is accepted as a proof of

Does anybody know where am i wrong?

PS: I am using openbsd 4.0 stable.