OpenSSH with Kerberos, without PAM

Christian Pfaffel flash at
Mon Sep 6 02:23:22 EDT 2004

"Ryan B. Lynch" <rlynch at> writes:

> Hi,
> I'm wondering if it's possible to get OpenSSH authenticating via Kerberos 
> WITHOUT using PAM.
> I was looking through the archives of the last couple months, specifically the 
> discussions on OpenSSH and krb5, but I couldn't find any references to 
> working setups that didn't use PAM.  Google has a lot of information, but I 
> haven't found anything dealing with the PAM question specifically.  The docs 
> are treating me similarly.

This applies to OpenSSH 3.8.1p1:

# cat /etc/ssh/sshd_config 
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

# cat /etc/ssh/ssh_config
Protocol 2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

See sshd_config(5) and ssh_config(5). Additionaly You need a
krb5.keytab entry for host/fqdn at domain at the host running sshd.


Christian Pfaffel <flash at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz

More information about the Kerberos mailing list