Kerberos + SSH question

Richard E. Silverman res at
Mon Jun 19 11:09:25 EDT 2006

>>>>> "Nod" == Nod  <none at nospam.none> writes:

    Nod> I've currently got a Heimdal KDC setup for testing. From the
    Nod> testing network, I can succesfully get tickets via kinit, and ssh
    Nod> with the ticket between servers.  Now, I'm trying to get the
    Nod> Windows desktop side working. Right now, I can authenticate
    Nod> (using SecureCRT with Kerberos support) but only when I use kinit
    Nod> from the Windows XP desktop.  What I'm trying to do is get the
    Nod> ssh server on the machine I'm accessing to carry out the kerberos
    Nod> authentication, so I don't have to install kerberos software on
    Nod> all our support staff's desktops, and put everyone's desktop in
    Nod> the realm. Basically, ssh to the server with my kerberos
    Nod> password, and have the server carry out the kerberos work for me.

So, you want to do two entirely different things.  When you kinit on
Windows, you are using ticket-based authentication and you have
single-signon.  Now, you do not want to use Kerberos on the clients; you
want to use password authentication (no single-signon), and have the SSH
server validate the password against Kerberos.

You have not said what SSH server you're using, or what server OS, or
indeed anything about the server at all.  Assuming it's OpenSSH on Unix,
you can use this:

PasswordAuthentication yes
KerberosAuthentication yes

or, use keyboard-interactive authentication and configure PAM to use

  Richard Silverman
  res at

More information about the Kerberos mailing list