Kerberos auth based on ticket
Mathew Rowley
mathew_rowley at cable.comcast.com
Mon Dec 15 18:49:29 EST 2008
Well, that would make sense... Looking at the sshd and ssh configurations,
it seems to be enabled on both. Is there some configuration I am missing?
[root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config
GSSAPIAuthentication yes
[root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
MAT
On 12/15/08 4:45 PM, "Russ Allbery" <rra at stanford.edu> wrote:
> Mathew Rowley <mathew_rowley at cable.comcast.com> writes:
>
>> > I am having a really hard time finding any documentation about PAM
>> > configurations. I want to be able to authenticate an SSH login with a
>> > valid Kerberos ticket. What configurations do I need within the
>> > /etc/pam.d/system-auth file to allow an authentication to succeed with a
>> > valid ticket.
>
> You're having a hard time finding that documentation because those are two
> unrelated things. PAM configuration only affects what one does once one
> has a password in hand. To authenticate with a Kerberos ticket, you need
> both an ssh client and an ssh server that support GSSAPI authentication, a
> keytab for the server, and GSSAPI authentication enabled. PAM is not
> involved.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
More information about the Kerberos
mailing list