Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 May 2005 14:37:55 -0600
From:      Tillman Hodgson <tillman@seekingfire.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Kerberos
Message-ID:  <20050510203755.GC19844@seekingfire.com>
In-Reply-To: <20050510004423.1888.qmail@web50406.mail.yahoo.com>
References:  <20050509194220.1FFA316A500@hub.freebsd.org> <20050510004423.1888.qmail@web50406.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, May 09, 2005 at 05:44:23PM -0700, Damian Sobieralski wrote:
> > Look into the GSSAPI options for /etc/ssh/ssh_config instead. 
> > Newer OpenSSH versions support Kerberos natively and 
> > don't need PAM hacks.
> 
>  Thanks Tillman! I was using PAM only based on someone's
> recommendation. As I've already admitted limited kerberos knowledge, I
> didn't know enough to question this approach. Based on your advice,
> I'll look into GSSAPI and I'll post my results to the group.  :-)

As a "get you started" hint, set these in your ssh_config on the client
hosts:

 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

And these in the sshd_config in the destination hosts:

 GSSAPICleanupCredentials yes
 GSSAPIAuthentication yes

Then obtain a valid ticket with kinit and test OpenSSH with:

ssh -vvv -o PreferredAuthentications=gssapi-with-mic hostname.domain.tld

(We're specificying the auth option explicitly to avoid things like
 pubkey, etc. You won't need to do this in the Real World once it's
 been confirmed to be working.)

A successful login displays this in the output:

debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).

Note that OpenSSH doesn't appear to be very smart about handling
multi-homed hosts, so expect to run into difficulties in that situation
(one of the reasons that I just use `telnet -x` instead).

-T


-- 
"Waking a person unnecessarily should not be considered a capital crime.
 For a first offense, that is."
    -- Robert Heinlein

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050510203755.GC19844>