Hi *,
I get stucked for several hours with configuring SSH authentication via Kerberos. I tested the same configuration on Linux and there was no problem.
I suspect pam_krb5.so.
My requisities: FreeBSD 5.3-RELEASE-p5 Kerberos comming with base system (heimdal implementation (Heimdal 0.6.1))
in /etc/krb5.conf
[libdefaults] default_realm = ATREY [realms] ATREY = { kdc = 172.16.10.1 kpasswd_server = 172.16.10.1 } [logging] kdc = FILE:/var/log/kdc.log kdc = SYSLOG:DEBUG default = SYSLOG:DEBUG:USER
[appdefaults] kinit = { forwardable= true }
[kdc] database = { realm = ATREY } require-preauth = no v4-realm= ATREY key-file = /var/heimdal/heimdal.mkey
in /etc/pam.d/sshd have: auth sufficient pam_krb5.so try_first_pass debug auth required pam_unix.so account required pam_krb5.so debug session optional pam_krb5.so debug password sufficient pam_krb5.so debug
From client view :
.... debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/dvorakv/.ssh/identity debug1: Trying private key: /home/dvorakv/.ssh/id_rsa debug1: Trying private key: /home/dvorakv/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: pam_krb5: pam_sm_authenticate: Kerberos 5 error
pam_krb5: pam_sm_authenticate: Kerberos 5 refuses you
At server site in /var/log/auth.log there is notning to public. :-( In /var/log/kdc.log :
What more - "debug" parameter standing after pam_krb5.so doesn`t increase verbosity of output.
Here is my configuration method:
1.kstash Password: xxxx
2. edit /etc/krb5.conf
3. kadmin -l
kadmin> init ATREY
..
4. add principals
kadmin> add dvorakv
....
5. run kdc,kpasswd,kadmind
/etc/rc.d/{kerberos,kadmind,kpasswd} start
6. test if i can get a ticket kinit dvorakv
password: xxxx
[EMAIL PROTECTED]:~$ kinit dvorakv
[EMAIL PROTECTED]'s Password: kinit: NOTICE: ticket renewable lifetime is 1 week
^^^^ everything ok, but SSH and PAM! :-(
And the last remark - this server runs in jail(8) - but there shouldn`t be a problem.
Any ideas ? Is /etc/pam.d/sshd correct ? Is there anything what I am missing ? Is there anything special in FreeBSD besides Linux.
Thank you, Vladimir
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"