Date: Wed, 31 Aug 2005 13:23:00 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: questions@freebsd.org Subject: heimdal kerberos & ssh Message-ID: <20050831112300.GA48436@pcwin002.win.tue.nl>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to setup a Kerberos realm, on a 5.4-STABLE box using the base heimdal version. I have succesfully created the database and I can get a ticket using kinit. Now I'm trying to setup the ssh service so that it authenticates to the kerberos server, and so that it saves the ticket to the credentials cache. However that last point is not working: %%% [stijn@firsa] <~> grep stijnkrb /etc/passwd stijnkrb:*:1004:1004:stijn kerb test:/home/stijnkrb:/usr/local/bin/zsh [stijn@firsa] <~> ssh stijnkrb@localhost Password: Last login: Wed Aug 31 13:11:15 2005 from localhost.lzee. firsa% klist klist: No ticket file: /tmp/krb5cc_1004 %%% So it seems that the authentication is working, however the TGT is not being saved. I have modified /etc/pam.d/sshd as follows: %%% # auth auth required pam_krb5.so no_warn try_first_pass # account account required pam_krb5.so # session session required pam_permit.so # password password required pam_krb5.so no_warn try_first_pass %%% Which to my mind should allow only kerberos accounts to login. However, sshd happily passes authentication for local-only accounts as well! I do have UsePAM yes in /etc/ssh/sshd_config, although the text suggested this as the default. Not knowing much about pam, is this not the right thing to do? I have tried variations on this but it seems that it's not helping any... Adding a 'ccache' option to the auth line for pam_krb5 didn't help either. Is there an introductory document on PAM available online somewhere? Or better a working setup with pam_krb5 on FreeBSD 5.x/6.x? Thanks, --Stijn -- Nostalgia ain't what it used to be.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050831112300.GA48436>