Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Dec 2022 15:29:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
Message-ID:  <bug-268186-227-QnbUpOQnS6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-268186-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186

--- Comment #35 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #34)

We seem to be discussing at least 3 different authentication mechanisms that
could all properly be called "Kerberos authentication":

1) OpenSSH with GSSAPIAuthentication: the client passes a service ticket to=
 the
server.

2) OpenSSH with KerberosAuthentication: the server prompts the client for a
password and those credentials are verified by the KDC.

3) OpenSSH with PAM and pam_krb5: according to the documentation
(https://www.freebsd.org/cgi/man.cgi?query=3Dpam_krb5&sektion=3D8&n=3D1) th=
is also
prompts for a password:

     It prompts the user for a password and obtains a new Kerberos TGT for =
the
     principal.  The TGT is verified by obtaining a service ticket for the =
lo-
     cal host.

     When prompting for the current password, the authentication module will
     use the prompt "Password for <principal>:".

I am trying to achieve authentication using a service ticket, without promp=
ting
the user for a password. I just want to confirm that we are pursuing the sa=
me
solution here. Can this be done with PAM?

On your other questions: I am testing using a FreeBSD client and server, wi=
th
the only Linux machine being the FreeIPA KDC. The FreeBSD client config loo=
ks
like this:

ForwardX11Trusted yes
GSSAPIAuthentication yes
PubkeyAuthentication no
VerifyHostKeyDNS yes
KexAlgorithms
curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-he=
llman-group-exchange-sha1,diffie-hellman-group14-sha1
GSSAPIDelegateCredentials yes

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268186-227-QnbUpOQnS6>