Problem using Kerberos for user authentication -- ChallengeResponseAuthentication
Steve Glasser
sgla9347 at gmail.com
Thu Nov 12 11:27:06 EST 2009
Hi all,
We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We
have found that if we set
ChallengeResponseAuthentication yes
in sshd_conf the result is no TGT ticket is created when a user logs
in by ssh. This problem is detailed in a Debian bug report here; we
don't see it having ever been fixed in redhat
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
Setting
PasswordAuthentication yes
does work, at least in our environment.
If anyone has any further information on this we'd appreciate it.
Cheers,
Steve
On Wed, Nov 11, 2009 at 11:28 PM, Jeffrey Watts
<jeffrey.w.watts at gmail.com> wrote:
> On Wed, Nov 11, 2009 at 9:46 AM, Javier Palacios <javiplx at gmail.com> wrote:
>
< snip >
>
> One quick thing you must look at first, however, is your sshd_config. The
> stock F11 sshd setup is not compatible with pam_krb5. The following two
> options must be set:
> ChallengeResponseAuthentication yes
> UsePAM yes
>
> The latter is set by default, but the former is not. If
> ChallengeResponseAuthentication is disabled, sshd will not use PAM for
> authentication, which means pam_krb5 will never get invoked to handle the
> auth. You should also enable the two GSSAPI options so that sshd will take
> tickets.
>
< snip >
> Good luck,
> Jeffrey.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Steve Glasser
sgla9347 at gmail.com
More information about the Kerberos
mailing list