Kerberos-Gssapi-ldap-pam interaction

Simon Wilkinson sxw at warspite.inf.ed.ac.uk
Fri May 16 13:53:04 EDT 2003


On Thu, 15 May 2003, Brent A Nelson wrote:

> May 15 11:00:36 bani sshd[28552]: Authorized to root, krb5 principal
> brent at PHYS.UFL.EDU (krb5_kuserok)
> May 15 11:00:36 bani sshd[28552]: PAM rejected by account
> configuration[6]: Permission denied

Your pam account layer is rejecting a remote root login. If you've
got something like pam_access in this layer, this probably means that
you've got an access.conf file somewhere (/etc/security on RedHat)
which says "root: LOCAL". Read the pam_access docs if you want to change
this.

> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authenticate error: Client
> not found in Kerberos database (-1765328378)
> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authentication fails for
> `root'

Looks like you're then moving on to try password based authentication.

> PS Does anyone know what's happened with Nicolas Williams's patch to get
> OpenSSH to take Kerberos principals in the authorized_keys file?

Not sure. I think Nicolas is at Sun now.

Cheers,

Simon.




More information about the Kerberos mailing list