Kerberos auth based on ticket

Mathew Rowley mathew_rowley at
Mon Dec 15 18:49:29 EST 2008

Well, that would make sense... Looking at the sshd and ssh configurations,
it seems to be enabled on both.  Is there some configuration I am missing?

[root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/ssh_config
        GSSAPIAuthentication yes
[root at ipa01 ~]# grep -i GSSAPI  /etc/ssh/sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


On 12/15/08 4:45 PM, "Russ Allbery" <rra at> wrote:

> Mathew Rowley <mathew_rowley at> writes:
>> > I am having a really hard time finding any documentation about PAM
>> > configurations.  I want to be able to authenticate an SSH login with a
>> > valid Kerberos ticket.  What configurations do I need within the
>> > /etc/pam.d/system-auth file to allow an authentication to succeed with a
>> > valid ticket.
> You're having a hard time finding that documentation because those are two
> unrelated things.  PAM configuration only affects what one does once one
> has a password in hand.  To authenticate with a Kerberos ticket, you need
> both an ssh client and an ssh server that support GSSAPI authentication, a
> keytab for the server, and GSSAPI authentication enabled.  PAM is not
> involved.
> --
> Russ Allbery (rra at             <>

More information about the Kerberos mailing list