Problem using Kerberos for user authentication -- ChallengeResponseAuthentication

Russ Allbery rra at stanford.edu
Fri Nov 13 14:35:44 EST 2009


Steve Glasser <sgla9347 at gmail.com> writes:

> We are running Kerberos/Ldap on RHEL 5.2, both server and clients.  We
> have found that if we set
>   ChallengeResponseAuthentication yes
> in sshd_conf the result is no TGT ticket is created when a user logs
> in by ssh.  This problem is detailed in a Debian bug report here; we
> don't see it having ever been fixed in redhat
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
> Setting
>   PasswordAuthentication yes
> does work, at least in our environment.

Red Hat and Debian use completely different code bases for pam-krb5.  That
particular bug (ssh running PAM in odd contexts and discarding PAM data)
is something that I thought Red Hat's PAM module had its own workaround
for using shared memory or some such thing, but since I don't use it, I'm
not sure.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list