Date: Wed, 25 Jan 2017 09:58:24 +0000 From: "C. L. Martinez" <carlopmart@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: SSH with kerberos auth doesn't provide a ticket Message-ID: <20170125095824.keq3yeu56ewjgh4l@stonehaven.uxdom.org> In-Reply-To: <CAPyT1SF5UptnxdP=ANxoMhec51w_9L%2B43y2o5hbZrvUwU-o1Qg@mail.gmail.com> References: <20170125072552.wrcbygdm6rbxtkhy@stonehaven.uxdom.org> <CAPyT1SF5UptnxdP=ANxoMhec51w_9L%2B43y2o5hbZrvUwU-o1Qg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 24, 2017 at 11:45:30PM -0800, Matt Mullins wrote: > On Tue, Jan 24, 2017 at 11:25 PM, C. L. Martinez <carlopmart@gmail.com> wrote: > > Hi all, > > > > I have a strange problem with ssh when kerberos auth is used. We have three kerberos servers based on MIT kerberos. I have configured a FreeBSD 11-RELEASE virtual guest to authenticate against these kerberos servers. Auth works ok, but ssh doesn't request a kerberos ticket (I am connecting from a Windows 10 workstation with putty): > > When you say "auth works ok", I assume that means that PuTTY does not > prompt for a password? If it does prompt for a password, you are > definitely not using GSSAPI at the ssh-connection layer (even if that > password is being checked against a KDC on the ssh server). > > > I have enabled th following options in sshd_config: > > > > # Kerberos options > > KerberosAuthentication yes > > You probably don't need that, if you've got mod_krb5.so in your PAM > config. This only applies when PasswordAuthentication is negotiated > for an SSH session, anyway. > > > It is strange because this "problem" only appears with FreeBSD, all others linux doesn't have this problem. > > > > What am I doing wrong? > > When you configure your PuTTY connection for your FreeBSD machine, > make sure you check the "Allow GSSAPI credential delegation" in > Connection -> SSH -> Auth -> GSSAPI. Seems to work for me. Thanks Matt for your answer. But it is not a problem with PuTTY. Using default config that comes with putty, when I do a ssh login to a CentOS or RHEL server with kerberos auth enabled, ticket is requested and works. Maybe is a problem with my PAM's config. /etc/pam.d/system # # $FreeBSD$ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass and /etc/pam.d/sshd # # $FreeBSD$ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass -- Greetings, C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170125095824.keq3yeu56ewjgh4l>