From owner-freebsd-questions@FreeBSD.ORG Sun Jul 27 09:09:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCB9637B401 for ; Sun, 27 Jul 2003 09:09:57 -0700 (PDT) Received: from mail.lewiz.org (pam80-1-13-204.man.dial.ntli.net [80.1.13.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 344B743FA3 for ; Sun, 27 Jul 2003 09:09:56 -0700 (PDT) (envelope-from lewiz@blue.lewiz.org) Received: from blue.lewiz.org ([192.168.0.11]) by mail.lewiz.org with smtp (Exim 4.20) id 19go51-000POk-D3 for freebsd-questions@freebsd.org; Sun, 27 Jul 2003 16:09:03 +0000 Received: (nullmailer pid 8695 invoked by uid 4001); Sun, 27 Jul 2003 16:09:14 -0000 Date: Sun, 27 Jul 2003 17:09:14 +0100 From: Lewis Thompson To: FreeBSD-questions Message-ID: <20030727160914.GA8683@lewiz.org> Mail-Followup-To: Lewis Thompson , FreeBSD-questions Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline X-GPG-Fingerprint: 90A4 939E 3847 A3E4 8103 2A48 22DA B428 542F ED3F X-GPG-Info: http://www.westwood.karoo.net/pgpkey / horowitz.surfnet.nl User-Agent: Mutt/1.5.4i X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean Subject: Kerberos / sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 16:09:58 -0000 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm trying to get sshd to authenticate users via Kerberos. I want to do this using a forwardable ticket (I get this by doing kinit -f). I have the necessary host/fqdn@REALM and rcmd/fqdn@REALM entries in the krb5.keytab file in /etc. I have defined the following (non-standard) options in my sshd_config: RSAAuthentication no PubkeyAuthentication no PasswordAuthentication no ChallengeResponseAuthentication no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes However, when I try and log-in I am prompted with a password prompt, where my Kerberos principle password is rejected (this is correct, I think, since all ChallResponse and PassAuth are disabled). However, I notice the KerberosTgtPassing option, which looks like it does the ticket passing magic-stuff, but it applies only to AFS. Is this correct? Can I not have ticket forwarding for authentication? Thanks very much, -lewiz. --=20 Earth is a beta site. ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |- --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/I/kqItq0KFQv7T8RAuNHAKDy+CduzhpjTEbOjeEEMJw/5v0ffgCfV7yz h2/54bf3Uk5SlZNm6TJGGek= =C0oW -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+--