Help: OpenSSH cannot login by Kerberos
Lee Eric
openlinuxsource at gmail.com
Sat Jun 11 22:55:04 EDT 2011
Thanks mate. And btw, I use pam_afs_session in OpenSSH pam
configuration, so do I have to comment out UsePAM?
Eric
On Sun, Jun 12, 2011 at 1:09 AM, Brian Candler <B.Candler at pobox.com> wrote:
> On Sat, Jun 11, 2011 at 02:18:57PM +0800, Lee Eric wrote:
>> # Kerberos options
>> KerberosAuthentication yes
>
> Aside: note that you almost certainly don't want this.
> "KerberosAuthentication" means "cleartext password authentication, checking
> the password against the KDC"
>
> To authenticate people using their Kerberos ticket you need:
>
>> GSSAPIAuthentication yes
>
> (which you already have), and preferably also:
>
> GSSAPIKeyExchange yes
>
> (this is a second form of ssh Kerberos authentication which takes advantage
> of Kerberos mutual authentication, to authenticate the server to the client
> as well as the client to the server. It means you don't need the known_hosts
> file, and the user is never prompted whether or not to accept the host key
> fingerprint when first connecting)
>
>> UsePAM yes
>
> You probably don't want that, unless you're also authenticating against PAM
> in the event that Kerberos fails.
>
>> And on client side, I'm getting the principle of the user huli then
>> try to login.
>
>> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>
> That's broken; you should rm that file (or mv it out of the way). You can't
> use a PGP key or an X509-style private key as an SSH key.
>
> Regards,
>
> Brian.
>
More information about the Kerberos
mailing list