From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 01:58:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB8DB16A4CE for ; Thu, 15 Jan 2004 01:58:06 -0800 (PST) Received: from nbh-gw.newchem.ru (platan.newchem.ru [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D58F43D4C for ; Thu, 15 Jan 2004 01:58:04 -0800 (PST) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.9/8.12.7) with ESMTP id i0F9w2Ut038757 for ; Thu, 15 Jan 2004 12:58:02 +0300 (MSK) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web (http://www.drweb.net) Date: Thu, 15 Jan 2004 12:58:02 +0300 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <287929591.20040115125802@newchem.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: kerberos5 authentication of ssh connections X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 09:58:06 -0000 Hello freebsd-security! What is the best way to authenticate remote ssh users transparantly without typing the kinit and kdestroy commands? Using pam_krb5 works satisfactorily for local logins but makes it crooked for remote ssh ones. The comp.protocols.kerberos and comp.security.ssh newsgroups and the pam-krb5-users maillist confirm this assertion. As far as I understood that using kerberized login.krb5 tool implys removing (or hiding) native login program and substituting it by the login.krb5, say as symbolic link, isn't it? The possibility of selecting one of two or more authentication methods as in case of pam may be useful say if I need to pass users to exploiting kerberized applications gradually, and even more that when I suffering problems with my KDCs or network connections. IMHO using pam_krb5 for kerberized login is some superfluous. -- Thanks in advance Illia Baidakov.