Kerberos + SSH question

Nod none at nospam.none
Tue Jun 20 09:34:38 EDT 2006

On 19 Jun 2006 23:09:01 -0400, "Richard E. Silverman" <res at> wrote:

>> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <res at> wrote:
>> >>>>>> "Nod" == Nod  <none at nospam.none> writes:
>> >
>> >    Nod> I've currently got a Heimdal KDC setup for testing. From the
>> >    Nod> testing network, I can succesfully get tickets via kinit, and ssh
>> >    Nod> with the ticket between servers.  Now, I'm trying to get the
>> >    Nod> Windows desktop side working. Right now, I can authenticate
>> >    Nod> (using SecureCRT with Kerberos support) but only when I use kinit
>> >    Nod> from the Windows XP desktop.  What I'm trying to do is get the
>> >    Nod> ssh server on the machine I'm accessing to carry out the kerberos
>> >    Nod> authentication, so I don't have to install kerberos software on
>> >    Nod> all our support staff's desktops, and put everyone's desktop in
>> >    Nod> the realm. Basically, ssh to the server with my kerberos
>> >    Nod> password, and have the server carry out the kerberos work for me.
>> >
>> >So, you want to do two entirely different things.  When you kinit on
>> >Windows, you are using ticket-based authentication and you have
>> >single-signon.  Now, you do not want to use Kerberos on the clients; you
>> >want to use password authentication (no single-signon), and have the SSH
>> >server validate the password against Kerberos.
>> >
>> >You have not said what SSH server you're using, or what server OS, or
>> >indeed anything about the server at all.  Assuming it's OpenSSH on Unix,
>> >you can use this:
>> >
>> >PasswordAuthentication yes
>> >KerberosAuthentication yes
>> >
>> >or, use keyboard-interactive authentication and configure PAM to use
>> >Kerberos.
>> OpenSSH_4.3p2, FreeBSD 6.0, in this case.
>> PAM config for ssh
>> u2:~# cat /etc/pam.d/sshd | grep krb
>> auth            sufficient             no_warn try_first_pass
>> account         required
>> password        sufficient             no_warn try_first_pass
>Since the PAM config is order-dependent, grepping out certain lines does
>not show whether it would work, or even if these lines would be consulted
>at all.
>> SSHD config
>> PermitRootLogin yes
>> PasswordAuthentication yes
>> ChallengeResponseAuthentication yes
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd yes
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>> Subsystem       sftp    /usr/libexec/sftp-server
>> SSH debug of connection attempt, in keyboard interactive mode.
>> Invalid user nod at from ip
>> input_userauth_request: invalid user nod at
>> debug1: PAM: initializing for "nod at"
>> debug1: PAM: setting PAM_RHOST to ""
>> Failed none for invalid user nod at from ip port 3727 ssh2
>> Failed none for invalid user nod at from ip port 3727 ssh2
>> debug1: userauth-request for user nod at service ssh-connection
>> method keyboard-interactive
>> debug1: attempt 1 failures 1
>> debug1: keyboard-interactive devs 
>> debug1: auth2_challenge: user=nod at devs=
>> debug1: kbdint_alloc: devices 'pam'
>> debug1: auth2_challenge_start: trying authentication method 'pam'
>> Postponed keyboard-interactive for invalid user nod at from ip
>> port 3727 ssh2
>> PAM: authentication error for illegal user nod at from
>> Failed keyboard-interactive/pam for invalid user nod at from ip
>> port 3727 ssh2
>> Failed keyboard-interactive/pam for invalid user nod at from ip
>> port 3727 ssh2
>> Received disconnect from ip: 13: The user canceled authentication. 
>> This doesn't appear to have work, perhaps I'm missing something?
>The various references to "illegal user" and "invalid user" suggest an
>independent reason why sshd or PAM don't like this account.  You'd get
>this if, for example, you had set AllowUsers and this account were not
>listed.  Perhaps there's something else wrong with this account that PAM
>checks, e.g. it has a shell not in /etc/shells?
>This seems familiar to me...

Here's the whole pam config for ssh:

# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
# PAM configuration for the "sshd" service

# auth
auth            required          no_warn
auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient             no_warn try_first_pass
#auth           sufficient              no_warn try_first_pass
auth            required             no_warn try_first_pass

# account
account         required
account         required
account         required

# session
#session        optional
session         required

# password
password        sufficient             no_warn try_first_pass
password        required             no_warn try_first_pass

As for the user, no, it doesn't exist on the box. This might be where I'm
running into a problem. Right now, this box only has its' root user and various
system accounts on it. Here's what I'm trying to do:
- Set up kerberos users for my various support techs. This is done, and I can
kinit from the servers as those users.
- Allow the kerberos users login access to the servers, and eventually, sudo
access. Right now, I've not added any local users to the servers themselves, as
I was under the impression that having them in Kerberos would make them a
'virtual' user of sorts.

Am I missing something here, or do I have a fundemental misunderstanding on
something? Your input is greatly appreciated.

More information about the Kerberos mailing list