My /etc/ssh/sshd_config file has the following in it: ---------------------------------- [other non kerberos stuff]
# To change Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes #AFSTokenPassing no KerberosTicketCleanup yes
# Kerberos TGT Passing does only work with the AFS kaserver or krb5 KerberosTgtPassing yes
#GSSAPI authentication GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIUseSessionCredCache yes
[more non-kerberos stuff] ----------------------------
To get PAM set up so that you automatically get a ticket any time you log in to the local machine you need to do this (debian oriented instructions):
1. apt-get install libpam-krb5
2. You will need to have the host service listed in the local keytab
of your machine. To check for this run the following command as root:
"k5srvutil list". If you see two entries that start with
"host/" go to the next step, otherwise you will need to add them with kadmin. See below.
3. /etc/login/defs
modify the line that says "CLOSE_SESSIONS no"
to "CLOSE_SESSIONS yes"4. /etc/pam.d/common-auth
(here is what mine looks like - after intro comments)
#auth required pam_unix.so nullok_secure
auth sufficient pam_krb5.so
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_deny.soThat's all, unless you still need to setup your local keytab
(step 2), in which case read the below. So far this has been working for either a plain console login, login via xdm, or login via gdm.
KADMIN - add the host service to the list of principals then add the proper key to your keytab.
1. From your machine run the following as root:
kadmin -p admin/admin2. Check for your machine's host service principal:
kadmin: listprincs3. If your machine's host service is not listed add it with:
kadmin: addprinc -randkey host/[machinename].yourdomain
(you don't have to do randkey but I like it)4. Once the host service principal exists add it to your keytab:
kadmin: ktadd -k /etc/krb5.keytab host/[machinename].yourdomain5. Exit kadmin: quit.
D.
David Kuhl Parity Systems [EMAIL PROTECTED] -----------------------
Wes Chow wrote:
Yeah, it looks like the user account "wchow" doesn't exist on the remote machine, which seems odd since you said that the telnet works. But the line in your output:
debug1: Starting up PAM with username "wchow" Failed none for wchow from 192.168.0.13 port 32804 ssh2
... shows that PAM is failing this user log in.
D.
Sam Hartman wrote:
Your pam account stack is claiming that you are not authorized to log in.
Do I have to do anything special to my PAM stack? I haven't touched it at all.
On a possibly related note, I'm having problems getting PAM authentication to work with console logins. I've added the line "auth sufficient pam_krb5.so forwardable" to /etc/pam.d/common-auth and "session optional pam_krb5.so" to /etc/pam.d/common-session. It's complaining with the error "Authentication service cannot retrieve authentication info." Googling on that, ironically, comes up with my previous email about not being able to get ssh-krb5 to work.
Thanks,
Wes
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
