Kerberos + SSH question

[Nod]

On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <res at qoxp.net> wrote:

>>>>>> "Nod" == Nod  <none at nospam.none> writes:
>
>    Nod> I've currently got a Heimdal KDC setup for testing. From the
>    Nod> testing network, I can succesfully get tickets via kinit, and ssh
>    Nod> with the ticket between servers.  Now, I'm trying to get the
>    Nod> Windows desktop side working. Right now, I can authenticate
>    Nod> (using SecureCRT with Kerberos support) but only when I use kinit
>    Nod> from the Windows XP desktop.  What I'm trying to do is get the
>    Nod> ssh server on the machine I'm accessing to carry out the kerberos
>    Nod> authentication, so I don't have to install kerberos software on
>    Nod> all our support staff's desktops, and put everyone's desktop in
>    Nod> the realm. Basically, ssh to the server with my kerberos
>    Nod> password, and have the server carry out the kerberos work for me.
>
>So, you want to do two entirely different things.  When you kinit on
>Windows, you are using ticket-based authentication and you have
>single-signon.  Now, you do not want to use Kerberos on the clients; you
>want to use password authentication (no single-signon), and have the SSH
>server validate the password against Kerberos.
>
>You have not said what SSH server you're using, or what server OS, or
>indeed anything about the server at all.  Assuming it's OpenSSH on Unix,
>you can use this:
>
>PasswordAuthentication yes
>KerberosAuthentication yes
>
>or, use keyboard-interactive authentication and configure PAM to use
>Kerberos.

OpenSSH_4.3p2, FreeBSD 6.0, in this case.

PAM config for ssh
u2:~# cat /etc/pam.d/sshd | grep krb
auth            sufficient      pam_krb5.so             no_warn try_first_pass
account         required        pam_krb5.so
password        sufficient      pam_krb5.so             no_warn try_first_pass

SSHD config
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
Subsystem       sftp    /usr/libexec/sftp-server



SSH debug of connection attempt, in keyboard interactive mode.

Invalid user nod at test.myrealm.com from ip
input_userauth_request: invalid user nod at test.myrealm.com
debug1: PAM: initializing for "nod at test.myrealm.com"
debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com"
Failed none for invalid user nod at test.myrealm.com from ip port 3727 ssh2
Failed none for invalid user nod at test.myrealm.com from ip port 3727 ssh2
debug1: userauth-request for user nod at test.myrealm.com service ssh-connection
method keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=nod at test.myrealm.com devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for invalid user nod at test.myrealm.com from ip
port 3727 ssh2
PAM: authentication error for illegal user nod at test.myrealm.com from
nt1.myrealm.com
Failed keyboard-interactive/pam for invalid user nod at test.myrealm.com from ip
port 3727 ssh2
Failed keyboard-interactive/pam for invalid user nod at test.myrealm.com from ip
port 3727 ssh2
Received disconnect from ip: 13: The user canceled authentication. 

This doesn't appear to have work, perhaps I'm missing something?