Re: kerberos authentication



Julius wrote:
On Thu, 2008-11-27 at 23:08 +0000, Nigel J. Taylor wrote:
If your are using Kerberos, then you need PasswordAuthentication yes in the
sshd_config also.

If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config
and ssh_config. That is if your using ssh wf and don't expect a prompt for a
password. The following is using GSSAPI (First a failure as no ticket).

$ ssh me@rhea
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
$ kinit me
me@xxxxxxxxx's Password:
$ ssh me@rhea
Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk
OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

$ egrep "Authen" /etc/ssh/sshd_config
# Authentication:
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
$ ^D
Connection to rhea closed.
$ hostname
pandora.xxx.me.uk

Regards

Nigel Taylor



Hi,

its been some time but i just hate it to find "wrong" information for
good software.
PasswordAuthentication yes is NOT needed for GSSAPI to work as stated in
the first line.
the egrep later shows the truth :)


greets


Hi,

You are correct for GSSAPIAuthentication PasswordAuthentication no is correct as
in the example provided by the egrep.

My first line should have read "If you are using KerberosAuthentication" not
just Kerberos, there was meant to be two different answers, maybe I should have
included a Or between them. Both answers were provided as is was unclear if you
were expecting to use GSSAPIAuthentication or KerberosAuthentication or both.
For KerberosAuthentication to work PasswordAuthentication yes has to be used
(the default setting is PasswordAuthentication yes - according to my man pages
for sshd_config).

The PasswordAuthentication yes with GSSAPIAuthentication yes is required if you
want a fall back to password authentication, when GSSAPIAuthentication fails.
The setting PasswordAuthentication yes/no depends on the way you want ssh to
work when using GSSAPIAuthentication.

Regards

Nigel Taylor



Relevant Pages

  • Cant get kerberos5/afs working well
    ... clients based on gentoo (ssh version 3.8p1). ... libpam-openafs-session && aklog (the debian packages). ... KerberosAuthentication yes ... GSSAPIAuthentication yes ...
    (comp.security.ssh)
  • locking down ssh
    ... PasswordAuthentication yes ... # Kerberos options ... GSSAPIAuthentication yes ... If this is enabled, PAM authentication will ...
    (comp.security.firewalls)
  • Re: Cannot logon to CentOS from Ubuntu!
    ... # Disable legacy (protocol version 1) support in the server for new ... PasswordAuthentication yes ... If this is enabled, PAM authentication will ...
    (comp.security.ssh)
  • Re: kerberos authentication
    ... If your are using Kerberos, then you need PasswordAuthentication yes in the ... If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config ... $ ssh me@rhea ...
    (SSH)
  • Able to login with any password
    ... PasswordAuthentication yes ... GSSAPIAuthentication yes ... If this is enabled, PAM authentication will ... # "PermitRootLogin without-password". ...
    (SSH)