problem setting up ssh-krb5 from Debian Sarge

dkuhl dkuhl at
Fri Oct 29 13:14:01 EDT 2004

	I don't know about a recommended way for exporting X, not something 
I've had to be involved with.  I think the technique you're persuing is 
probably ok.

	I would recommend changing your common-auth so that pam is not 
required.  Mine reads like this:

#auth   required nullok_secure
auth       sufficient
auth       sufficient nullok try_first_pass
auth       required

	So I have commented out where it's defined as required and 
include it on another line as sufficient.  That may be what's blocking you.

	I'm running Debian Sarge on several machines and I'm able to ssh to any 
of them using MIT Kerberos for authentication.  Most of my user accounts 
on the servers were created without passwords so the Krb5 ticket is the 
only way to get on the machine (root ssh access is denied).


David Kuhl
Parity Systems
dkuhl at

Wes Chow wrote:
> I'm still having the same problem...
> I've copied your sshd_config:
>># To change Kerberos options
>>KerberosAuthentication yes
>>#KerberosOrLocalPasswd yes
>>#AFSTokenPassing no
>>KerberosTicketCleanup yes
>># Kerberos TGT Passing does only work with the AFS kaserver or krb5
>>KerberosTgtPassing yes
>>#GSSAPI authentication
>>GSSAPIAuthentication yes
>>GSSAPIKeyExchange yes
>>GSSAPIUseSessionCredCache yes
> installed libpam-krb5, set CLOSE_SESSIONS as yes, and put this in my
> common-auth:
> auth    sufficient
> auth    required nullok_secure
> All the keytab stuff was set up from before.  In my original email,
> sent a while back, I also mentioned that I can used kerberized telnet
> just fine, so the keytab stuff should be correct.  It's specifically
> PAM stuff that isn't working.  This is all Debian Sarge...
> But maybe I can work around the system...  the principle reason why
> I'm interested in ssh is because I'd like a X to be automatically
> exported.  If there's some way to do that automatically with
> Kerberized rsh or telnet, then I'd be happy with that too.  The only
> reason why I'm fiddling with PAM is to get the automatic X with ssh.
> We rarely log into these machines through the console, and if then,
> only as root.
> I guess my question is what's the recommended way to export X
> automatically through a remote login with the fewest security
> implications?
> Thanks,
> Wes

More information about the Kerberos mailing list