Kerberos + SSH question

Richard E. Silverman res at
Mon Jun 19 23:09:01 EDT 2006

> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <res at> wrote:
> >>>>>> "Nod" == Nod  <none at nospam.none> writes:
> >
> >    Nod> I've currently got a Heimdal KDC setup for testing. From the
> >    Nod> testing network, I can succesfully get tickets via kinit, and ssh
> >    Nod> with the ticket between servers.  Now, I'm trying to get the
> >    Nod> Windows desktop side working. Right now, I can authenticate
> >    Nod> (using SecureCRT with Kerberos support) but only when I use kinit
> >    Nod> from the Windows XP desktop.  What I'm trying to do is get the
> >    Nod> ssh server on the machine I'm accessing to carry out the kerberos
> >    Nod> authentication, so I don't have to install kerberos software on
> >    Nod> all our support staff's desktops, and put everyone's desktop in
> >    Nod> the realm. Basically, ssh to the server with my kerberos
> >    Nod> password, and have the server carry out the kerberos work for me.
> >
> >So, you want to do two entirely different things.  When you kinit on
> >Windows, you are using ticket-based authentication and you have
> >single-signon.  Now, you do not want to use Kerberos on the clients; you
> >want to use password authentication (no single-signon), and have the SSH
> >server validate the password against Kerberos.
> >
> >You have not said what SSH server you're using, or what server OS, or
> >indeed anything about the server at all.  Assuming it's OpenSSH on Unix,
> >you can use this:
> >
> >PasswordAuthentication yes
> >KerberosAuthentication yes
> >
> >or, use keyboard-interactive authentication and configure PAM to use
> >Kerberos.
> OpenSSH_4.3p2, FreeBSD 6.0, in this case.
> PAM config for ssh
> u2:~# cat /etc/pam.d/sshd | grep krb
> auth            sufficient             no_warn try_first_pass
> account         required
> password        sufficient             no_warn try_first_pass

Since the PAM config is order-dependent, grepping out certain lines does
not show whether it would work, or even if these lines would be consulted
at all.

> SSHD config
> PermitRootLogin yes
> PasswordAuthentication yes
> ChallengeResponseAuthentication yes
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM yes
> Subsystem       sftp    /usr/libexec/sftp-server
> SSH debug of connection attempt, in keyboard interactive mode.
> Invalid user nod at from ip
> input_userauth_request: invalid user nod at
> debug1: PAM: initializing for "nod at"
> debug1: PAM: setting PAM_RHOST to ""
> Failed none for invalid user nod at from ip port 3727 ssh2
> Failed none for invalid user nod at from ip port 3727 ssh2
> debug1: userauth-request for user nod at service ssh-connection
> method keyboard-interactive
> debug1: attempt 1 failures 1
> debug1: keyboard-interactive devs 
> debug1: auth2_challenge: user=nod at devs=
> debug1: kbdint_alloc: devices 'pam'
> debug1: auth2_challenge_start: trying authentication method 'pam'
> Postponed keyboard-interactive for invalid user nod at from ip
> port 3727 ssh2
> PAM: authentication error for illegal user nod at from
> Failed keyboard-interactive/pam for invalid user nod at from ip
> port 3727 ssh2
> Failed keyboard-interactive/pam for invalid user nod at from ip
> port 3727 ssh2
> Received disconnect from ip: 13: The user canceled authentication. 

> This doesn't appear to have work, perhaps I'm missing something?

The various references to "illegal user" and "invalid user" suggest an
independent reason why sshd or PAM don't like this account.  You'd get
this if, for example, you had set AllowUsers and this account were not
listed.  Perhaps there's something else wrong with this account that PAM
checks, e.g. it has a shell not in /etc/shells?

This seems familiar to me...

  Richard Silverman
  res at

More information about the Kerberos mailing list