[19262] in Kerberos
Re: Kerberos-Gssapi-ldap-pam interaction
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Fri May 16 13:56:50 2003
From: Simon Wilkinson <sxw@warspite.inf.ed.ac.uk>
Date: Fri, 16 May 2003 18:53:04 +0100
Message-ID: <Pine.LNX.4.44.0305161847140.7652-100000@warspite.inf.ed.ac.uk>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
On Thu, 15 May 2003, Brent A Nelson wrote:
> May 15 11:00:36 bani sshd[28552]: Authorized to root, krb5 principal
> brent@PHYS.UFL.EDU (krb5_kuserok)
> May 15 11:00:36 bani sshd[28552]: PAM rejected by account
> configuration[6]: Permission denied
Your pam account layer is rejecting a remote root login. If you've
got something like pam_access in this layer, this probably means that
you've got an access.conf file somewhere (/etc/security on RedHat)
which says "root: LOCAL". Read the pam_access docs if you want to change
this.
> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authenticate error: Client
> not found in Kerberos database (-1765328378)
> May 15 11:00:33 bani sshd[28552]: pam_krb5afs: authentication fails for
> `root'
Looks like you're then moving on to try password based authentication.
> PS Does anyone know what's happened with Nicolas Williams's patch to get
> OpenSSH to take Kerberos principals in the authorized_keys file?
Not sure. I think Nicolas is at Sun now.
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
