[30534] in Kerberos
Re: Kerberos auth based on ticket
daemon@ATHENA.MIT.EDU (Mathew Rowley)
Mon Dec 15 18:50:42 2008
Date: Mon, 15 Dec 2008 16:49:29 -0700
From: Mathew Rowley <mathew_rowley@cable.comcast.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <C56C3B19.4F74%mathew_rowley@cable.comcast.com>
In-Reply-To: <871vw9ypcc.fsf@windlord.stanford.edu>
Mime-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Well, that would make sense... Looking at the sshd and ssh configurations,
it seems to be enabled on both. Is there some configuration I am missing?
[root@ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config
GSSAPIAuthentication yes
[root@ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
MAT
On 12/15/08 4:45 PM, "Russ Allbery" <rra@stanford.edu> wrote:
> Mathew Rowley <mathew_rowley@cable.comcast.com> writes:
>
>> > I am having a really hard time finding any documentation about PAM
>> > configurations. I want to be able to authenticate an SSH login with a
>> > valid Kerberos ticket. What configurations do I need within the
>> > /etc/pam.d/system-auth file to allow an authentication to succeed with a
>> > valid ticket.
>
> You're having a hard time finding that documentation because those are two
> unrelated things. PAM configuration only affects what one does once one
> has a password in hand. To authenticate with a Kerberos ticket, you need
> both an ssh client and an ssh server that support GSSAPI authentication, a
> keytab for the server, and GSSAPI authentication enabled. PAM is not
> involved.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
