[33322] in Kerberos
Re: krb5_get_init_creds_password: Decrypt integrity check failed
daemon@ATHENA.MIT.EDU (Brian Candler)
Mon Apr 11 14:42:05 2011
Date: Mon, 11 Apr 2011 19:41:49 +0100
From: Brian Candler <B.Candler@pobox.com>
To: Traiano Welcome <Traiano.Welcome@mtnbusiness.co.za>
Message-ID: <20110411184149.GA5382@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <E012414FCF65894B89F69DE76AE15E99058D60F0@CPT-EXCH01.int.mtnbusiness.net>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Apr 11, 2011 at 10:59:16AM +0000, Traiano Welcome wrote:
> I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos
> client with our current kerberos infrastructure. I would like users to
> authenticate ssh logins to the system using kerberos, and so I'm using the
> pam_krb5 pam module.
You don't need pam_krb5 to perform ssh authentication using kerberos.
(Indeed, I was under the impression that pam_krb5 did only *password*
authentication, checking the password against the KDC and getting a Kerberos
TGT as a side effect - but I could be wrong)
Anyway, if you want ssh to be authenticated using kerberos, just do the
following.
Client side: edit /etc/ssh/ssh_config, under Host * set
GSSAPIAuthentication yes
GSSAPIKeyExchange yes (*)
(Don't set "KerberosAuthentication yes"; this means regular password
authentication, but with the password checked against the KDC)
Server side: edit /etc/ssh/sshd_config, set
GSSAPIAuthentication yes
GSSAPIKeyExchange yes (*)
plus all the usual Kerberos stuff:
- create a host key in the KDC
- extract the key to /etc/krb5.keytab
- forward and reverse DNS is correct
- realm to KDC mapping either in DNS or in /etc/krb5.conf
- domain to realm mapping either in DNS or in /etc/krb5.conf
HTH,
Brian.
(*) This is not strictly necessary for regular Kerberos authentication.
However the 'KeyExchange' variant of the protocol uses Kerberos for mutual
authentication; this eliminates the use of .ssh/known_hosts and the
prompting for unknown host keys.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
