From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 16 10:17:03 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02C0216A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Mar 2005 10:17:03 +0000 (GMT)
Received: from mail.vdsoft.org (poseidon.vdsoft.org [193.85.147.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 74BA643D1F
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Mar 2005 10:17:02 +0000 (GMT)
	(envelope-from dvorakv@vdsoft.org)
Received: from [10.166.224.240] (ip-85-160-67-110.eurotel.cz [85.160.67.110])
	by mail.vdsoft.org (Postfix) with ESMTP id 91A4447E01C
	for <freebsd-questions@freebsd.org>;
	Wed, 16 Mar 2005 11:16:57 +0100 (CET)
Message-ID: <423807FA.1010900@vdsoft.org>
Date: Wed, 16 Mar 2005 11:18:34 +0100
From: Vladimir Dvorak <dvorakv@vdsoft.org>
User-Agent: Debian Thunderbird 1.0 (X11/20050118)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: SSH with Kerberos authentication
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2005 10:17:03 -0000

Hi *,

I get stucked for several hours with configuring SSH authentication via Kerberos. I tested the same configuration on Linux and there was no problem.
 I suspect pam_krb5.so. 


My requisities:
 FreeBSD  5.3-RELEASE-p5
 Kerberos comming with base system (heimdal implementation (Heimdal 0.6.1))

in /etc/krb5.conf

[libdefaults]
                   default_realm = ATREY
[realms]
        ATREY = {
                kdc = 172.16.10.1
                kpasswd_server = 172.16.10.1
            }
[logging]
                   kdc = FILE:/var/log/kdc.log
                   kdc = SYSLOG:DEBUG
                   default = SYSLOG:DEBUG:USER

[appdefaults]
        kinit = {
                forwardable= true
        }

[kdc]
        database = {
        realm = ATREY
        }
 require-preauth = no
 v4-realm= ATREY
 key-file = /var/heimdal/heimdal.mkey



 in /etc/pam.d/sshd have:
auth            sufficient      pam_krb5.so      try_first_pass  debug
auth            required        pam_unix.so
account      required      pam_krb5.so debug
session       optional   pam_krb5.so  debug
password   sufficient      pam_krb5.so      debug

>From client view :

....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dvorakv/.ssh/identity
debug1: Trying private key: /home/dvorakv/.ssh/id_rsa
debug1: Trying private key: /home/dvorakv/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
pam_krb5: pam_sm_authenticate: Kerberos 5 error

pam_krb5: pam_sm_authenticate: Kerberos 5 refuses you

At server site in /var/log/auth.log there is notning to public. :-( In /var/log/kdc.log :



What more - "debug" parameter standing after pam_krb5.so doesn`t increase verbosity of output.

Here is my configuration method:

1.kstash 
Password: xxxx

2. edit /etc/krb5.conf
3. kadmin -l
kadmin> init ATREY
..
4. add principals
kadmin> add dvorakv
....
5. run kdc,kpasswd,kadmind
/etc/rc.d/{kerberos,kadmind,kpasswd} start
6. test if i can get a ticket 
kinit dvorakv
password: xxxx
dvorakv@atrey:~$ kinit dvorakv
dvorakv@ATREY's Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week
    
^^^^ everything ok, but SSH and PAM! :-(

And the last remark - this server runs in jail(8) - but there shouldn`t be a problem.


Any ideas ? Is /etc/pam.d/sshd correct ? Is there anything what I am missing ? Is there anything special in FreeBSD besides Linux.

Thank you, Vladimir