OpenSSH 3.7, kerberos thru pam
Patrice Seyed
apseyed at bu.edu
Fri Feb 13 12:09:09 EST 2004
Quoth apseyed at bu.edu (Patrice Seyed):
| I'm running openssh-3.7.1p1, /etc/pam.d/authconfig is syntactically
| correct regarding pam_kerb5.so, and /etc/krb5.conf and /etc/krb.conf are a
| pristine working config from another linux system. (oh running
| 2.4.21-4.0.1.ELsmp also here).
|
| so kerberos will only work/authenticate properly with this setup when i
| uncomment in
| /etc/ssh/sshd_config:
| KerberosAuthentication yes
Yes.
| i think is the mechanism for going around PAM though.
Yes.
As I understand it, PAM is not Kerberos authentication in the sense
that your ssh client uses your local credentials to get a service ticket
for the remote sshd. Rather, it is password authentication - your
password goes across the wire to the remote sshd - where the Kerberos
module acts as a proxy client+server to validate the password.
->I agree that's how it should work, however it doesn't work properly in
this version of ssh. The pamd module will not successfully pass the password
authentication information to Kerberos. The only information in
/var/log/messages regarding this is "incorrect password" even when DEBUG is
turned on.
-Patrice
Donn Cave, donn at drizzle.com
------------------------------
More information about the Kerberos
mailing list