Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 May 2001 16:44:12 -0500
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        Peter Losher <Peter.Losher@nominum.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: OpenSSH and Krb5, FreeBSD style...
Message-ID:  <20010523164412.A540@shade.nectar.com>
In-Reply-To: <Pine.NEB.4.33.0105231124500.9543-100000@shell1.nominum.com>; from Peter.Losher@nominum.com on Wed, May 23, 2001 at 12:15:29PM -0700
References:  <20010523111132.B441@shade.nectar.com> <Pine.NEB.4.33.0105231124500.9543-100000@shell1.nominum.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, May 23, 2001 at 12:15:29PM -0700, Peter Losher wrote:
> Good news - I finally got the OpenSSH client to do Kerberos on my
> 4.3-RELEASE box (My problem was that I uncommented almost all of the
> Kerberos options, when only KerberosAuthenication was needed/supported)
> Ticket Authenication seems to work fine doing 'ssh -1',

Good.

> 'ssh -2' goes to password auth.

The OpenSSH v2 stuff doesn't do Kerberos (IV nor 5).

> Bad news, UW-IMAP suffers from the same linker problem <sigh>.  Also, SSHD
> refuses to take any Krb5 authentication, tkt or password.  

I'm confused -- above  you said that it `seems to  work fine' with the
v1 protocol.  Which SSHD are you talking about here?

> I installed  pam_krb5 from  ports, replaced  the commented  out Krb4
> line under  sshd with  one for pam_krb5.so,  and now  sshd segfaults
> whenever you type in a Kerberos password. <sigh>

Obviously that shouldn't happen, but the module is young and finicky.
Use the following for sshd/pam_krb5:

  auth    sufficient      pam_krb5.so try_first_pass 
  auth    required        pam_unix.so
  account sufficient      pam_krb5.so try_first_pass
  account required        pam_unix.so
  session sufficient      pam_krb5.so try_first_pass
  session required        pam_unix.so

> The joys of debugging - Any ideas?

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010523164412.A540>