PAM and GSSAPI SSH authentication conflict

Matthijs Mohlmann matthijs at
Sat Oct 9 09:54:48 EDT 2004

On Fri, 2004-10-08 at 20:12, Rachel Elizabeth Dillon wrote:
> I am building a network that uses Kerberos for authentication. The original
> plan was to have a single bastion host to which users sshed, and logged in
> using their Kerberos password. From that bastion host, users could then 
> ssh to any other machine on the network, authenticatning via forwardable
> Kerberos tickets and GSSAPI. I had this working. But, as always happens
> with these things, requirements changed.
> I am currently evaluating the feasibility of having every machine on the
> network accept either Kerberos tickets or a Kerberos password as an
> authentication mechanism. I believe that this _should_ work, but I haven't
> been able to make it work. I have the following lines in /etc/pam.conf :
> ssh             auth    required try_first_pass 
> ssh             account required 
> ssh             session required 
> ssh             password required try_first_pass
> If I comment these lines out, I get authentication just fine without
> tickets but, unsurprisingly, no password-based authentication via PAM.
> With the lines in place, if I ssh in with appropriate Kerberos tickets,
> I get a host ticket but the following error in sshd -d -d -d :
> debug1: userauth-request for user ptadmin service ssh-connection method external-keyx
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method external-keyx
> Authorized to ptadmin, krb5 principal ptadmin at IC.COM (krb5_kuserok)
> debug2: pam_acct_mgmt() = 17
> PAM rejected by account configuration[17]: User account has expired
> To the best of my knowledge the account is not expired, since it can log 
> in just fine either with its Kerberos password or with those lines commented
> out. I tried googling on this phrase and found a variety of errors related
> to password expiry (reasonable), but this user account does not even _have_ 
> a local password; no accounts do in our system. I would expect Solaris to
> do the right thing and not count them as expired passwords in this case, but
> maybe PAM gets tripped up? I'm not sure.
> Anyway, any help would be appreciated. I'm using stock Debian OpenSSH 3.6,
> except recompiled for Solaris.
> Thanks!
> -r.
> ______________________________________________________________________
> ________________________________________________
> Kerberos mailing list           Kerberos at

Ssh has an implementation for the ssh protocol. I don't know which Linux
/ BSD distro you use. But FreeBSD has the ssh kerberos implementation in
the base, Debian has an package: ssh-krb5 you can use. Then config ssh
for GSSAPI authentication and it works.

You don't kneed pam at all for ssh.


More information about the Kerberos mailing list