Password-less authentication with OpenSSH 3.6.1 and krb5/GSSAPI

Kerry Thompson kerry at crypt.gen.nz
Fri Jun 27 21:50:24 EDT 2003


A few days ago someone posted a problem here where they couldn't get
password-less authentication working properly with OpenSSH 3.6.1 patched
with Simon Wilkinson's GSSAPI patch and compiled with krb5. I've deleted
the messages out so I'm not sure who it was.

I've since run into the same problem, it seems that OpenSSH with Simon's
patch doesn't enable GSSAPI properly when built out of the box. Maybe a
problem with the patched ./configure or configure.ac or autoconf or
something. You can quickly check the status by running 'grep -i gssapi
Makefile' and seeing if you've got the GSSAPI stuff being linked into
the OpenSSH build or not.

I found that after applying Simon's patch, I had to run the OpenSSH
configure as this :

./configure --with-kerberos5=<path_to_MITkrb5_installed_src>
--with-cppflags="-DGSSAPI -I/usr/local/include/gssapi"
--with-libs="-lgssapi_krb5"

and this builds a good OpenSSH with GSSAPI that does not prompt for
passwords between systems ( tested on two RedHat Linux boxes and MIT
krb5 1.2.8 ).


Kerry





More information about the Kerberos mailing list