SSH with Kerberos authentication

[Vladimir Dvorak]

Hi *,
I get stucked for several hours with configuring SSH authentication via Kerberos. I tested the same configuration on Linux and there was no problem.
I suspect pam_krb5.so. 

My requisities:
FreeBSD  5.3-RELEASE-p5
Kerberos comming with base system (heimdal implementation (Heimdal 0.6.1))
in /etc/krb5.conf
[libdefaults]
                  default_realm = ATREY
[realms]
       ATREY = {
               kdc = 172.16.10.1
               kpasswd_server = 172.16.10.1
           }
[logging]
                  kdc = FILE:/var/log/kdc.log
                  kdc = SYSLOG:DEBUG
                  default = SYSLOG:DEBUG:USER
[appdefaults]
       kinit = {
               forwardable= true
       }
[kdc]
       database = {
       realm = ATREY
       }
require-preauth = no
v4-realm= ATREY
key-file = /var/heimdal/heimdal.mkey

in /etc/pam.d/sshd have:
auth            sufficient      pam_krb5.so      try_first_pass  debug
auth            required        pam_unix.so
account      required      pam_krb5.so debug
session       optional   pam_krb5.so  debug
password   sufficient      pam_krb5.so      debug
From client view :
....
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dvorakv/.ssh/identity
debug1: Trying private key: /home/dvorakv/.ssh/id_rsa
debug1: Trying private key: /home/dvorakv/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
pam_krb5: pam_sm_authenticate: Kerberos 5 error
pam_krb5: pam_sm_authenticate: Kerberos 5 refuses you
At server site in /var/log/auth.log there is notning to public. :-( In 
/var/log/kdc.log :

What more - "debug" parameter standing after pam_krb5.so doesn`t increase 
verbosity of output.
Here is my configuration method:
1.kstash 
Password: xxxx

2. edit /etc/krb5.conf
3. kadmin -l
kadmin> init ATREY
..
4. add principals
kadmin> add dvorakv
....
5. run kdc,kpasswd,kadmind
/etc/rc.d/{kerberos,kadmind,kpasswd} start
6. test if i can get a ticket 
kinit dvorakv
password: xxxx
[EMAIL PROTECTED]:~$ kinit dvorakv
[EMAIL PROTECTED]'s Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week
   
^^^^ everything ok, but SSH and PAM! :-(

And the last remark - this server runs in jail(8) - but there shouldn`t be a 
problem.
Any ideas ? Is /etc/pam.d/sshd correct ? Is there anything what I am 
missing ? Is there anything special in FreeBSD besides Linux.
Thank you, Vladimir
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"