Kerberos-Gssapi-ldap-pam interaction
Simon Wilkinson
sxw at warspite.inf.ed.ac.uk
Fri May 16 13:53:04 EDT 2003
On Thu, 15 May 2003, Brent A Nelson wrote:
> May 15 11:00:36 bani sshd[28552]: Authorized to root, krb5 principal
> brent at PHYS.UFL.EDU (krb5_kuserok)
> May 15 11:00:36 bani sshd[28552]: PAM rejected by account
> configuration[6]: Permission denied
Your pam account layer is rejecting a remote root login. If you've
got something like pam_access in this layer, this probably means that
you've got an access.conf file somewhere (/etc/security on RedHat)
which says "root: LOCAL". Read the pam_access docs if you want to change
this.
> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authenticate error: Client
> not found in Kerberos database (-1765328378)
> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authentication fails for
> `root'
Looks like you're then moving on to try password based authentication.
> PS Does anyone know what's happened with Nicolas Williams's patch to get
> OpenSSH to take Kerberos principals in the authorized_keys file?
Not sure. I think Nicolas is at Sun now.
Cheers,
Simon.
More information about the Kerberos
mailing list