Problem using Kerberos for user authentication -- ChallengeResponseAuthentication

Steve Glasser sgla9347 at gmail.com
Thu Nov 12 11:27:06 EST 2009


Hi all,

We are running Kerberos/Ldap on RHEL 5.2, both server and clients.  We
have found that if we set
  ChallengeResponseAuthentication yes
in sshd_conf the result is no TGT ticket is created when a user logs
in by ssh.  This problem is detailed in a Debian bug report here; we
don't see it having ever been fixed in redhat
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
Setting
  PasswordAuthentication yes
does work, at least in our environment.

If anyone has any further information on this we'd appreciate it.

Cheers,
Steve

On Wed, Nov 11, 2009 at 11:28 PM, Jeffrey Watts
<jeffrey.w.watts at gmail.com> wrote:
> On Wed, Nov 11, 2009 at 9:46 AM, Javier Palacios <javiplx at gmail.com> wrote:
>
< snip >
>
> One quick thing you must look at first, however, is your sshd_config.  The
> stock F11 sshd setup is not compatible with pam_krb5.  The following two
> options must be set:
> ChallengeResponseAuthentication yes
> UsePAM yes
>
> The latter is set by default, but the former is not.  If
> ChallengeResponseAuthentication is disabled, sshd will not use PAM for
> authentication, which means pam_krb5 will never get invoked to handle the
> auth.  You should also enable the two GSSAPI options so that sshd will take
> tickets.
>
< snip >
> Good luck,
> Jeffrey.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Steve Glasser
sgla9347 at gmail.com




More information about the Kerberos mailing list