kerberos auth for ssh2

Simon Wilkinson simon at
Mon Aug 1 03:42:35 EDT 2005

Kevin J Kalupson wrote:
> 1)My main goal is to implement kerberos authentication for ssh via
> gssapi-with-mic.  I have found a lot web sites where people claim to
> have it working, but I have not experienced success yet.
> To your knowledge, should this method now work with up to date
> installations of openssh and kerberos and using ssh2?

gssapi-with-mic has been supported in OpenSSH since November 2003. It
definitely works with an up to date installation. In the vanilla OpenSSH
release, it is disabled by default. You will need 'GssapiAuthentication
yes' in both client and server configuration files, and
'GssapiDelegateCredentials yes' on the client.

> 2)I am using PAM auth modules.  Currently, users can log in using their
> kerberos password.  If I am using PAM, do I need "extra" configuration
> so that pam will ok the user that passes a gssapi-with-mic ticket is
> authenticated, or does ssh forgo PAM when configured for gssapi-with-mic
> tickets as well.

You shouldn't need 'extra' configuration. When a user authentications
through gssapi-with-mic, the PAM account and session stacks will be run.
This allows authorization checks, and the acquiry of additional credentials.

> 3)Are there other options besides gssapi-with-mic for ssh2 login with a
> kerberos based ticket?

Clients and servers produced by support an authentication
mechanism called 'kerberos2 at'. This isn't widely used.

> 4)Does the kdc have to have special knowledge of the server that is
> requesting authentication for a user via a forwarded ticket or does the
> server making the request for this sort of auth simply just need to know
> how to ask?

The host/ server principal and the user's principal both need to have
the allow_forwardable flag set. The user's credentials need to have been
obtained as forwardable credentials (for example, through kinit -f). You
need to have credential forwarding turned on by having
'GSSAPIDelegateCredentials yes' in your ssh client's configuration file.



More information about the krbdev mailing list