> > On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]> > wrote: > >>>>>> "Nod" == Nod <[EMAIL PROTECTED]> writes: > > > > Nod> I've currently got a Heimdal KDC setup for testing. From the > > Nod> testing network, I can succesfully get tickets via kinit, and ssh > > Nod> with the ticket between servers. Now, I'm trying to get the > > Nod> Windows desktop side working. Right now, I can authenticate > > Nod> (using SecureCRT with Kerberos support) but only when I use kinit > > Nod> from the Windows XP desktop. What I'm trying to do is get the > > Nod> ssh server on the machine I'm accessing to carry out the kerberos > > Nod> authentication, so I don't have to install kerberos software on > > Nod> all our support staff's desktops, and put everyone's desktop in > > Nod> the realm. Basically, ssh to the server with my kerberos > > Nod> password, and have the server carry out the kerberos work for me. > > > >So, you want to do two entirely different things. When you kinit on > >Windows, you are using ticket-based authentication and you have > >single-signon. Now, you do not want to use Kerberos on the clients; you > >want to use password authentication (no single-signon), and have the SSH > >server validate the password against Kerberos. > > > >You have not said what SSH server you're using, or what server OS, or > >indeed anything about the server at all. Assuming it's OpenSSH on Unix, > >you can use this: > > > >PasswordAuthentication yes > >KerberosAuthentication yes > > > >or, use keyboard-interactive authentication and configure PAM to use > >Kerberos. > > OpenSSH_4.3p2, FreeBSD 6.0, in this case. > > PAM config for ssh > u2:~# cat /etc/pam.d/sshd | grep krb > auth sufficient pam_krb5.so no_warn try_first_pass > account required pam_krb5.so > password sufficient pam_krb5.so no_warn try_first_pass
Since the PAM config is order-dependent, grepping out certain lines does not show whether it would work, or even if these lines would be consulted at all. > SSHD config > PermitRootLogin yes > PasswordAuthentication yes > ChallengeResponseAuthentication yes > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM yes > Subsystem sftp /usr/libexec/sftp-server > > > > SSH debug of connection attempt, in keyboard interactive mode. > > Invalid user [EMAIL PROTECTED] from ip > input_userauth_request: invalid user [EMAIL PROTECTED] > debug1: PAM: initializing for "[EMAIL PROTECTED]" > debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com" > Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 > Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 > debug1: userauth-request for user [EMAIL PROTECTED] service ssh-connection > method keyboard-interactive > debug1: attempt 1 failures 1 > debug1: keyboard-interactive devs > debug1: auth2_challenge: [EMAIL PROTECTED] devs= > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > Postponed keyboard-interactive for invalid user [EMAIL PROTECTED] from ip > port 3727 ssh2 > PAM: authentication error for illegal user [EMAIL PROTECTED] from > nt1.myrealm.com > Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip > port 3727 ssh2 > Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip > port 3727 ssh2 > Received disconnect from ip: 13: The user canceled authentication. > This doesn't appear to have work, perhaps I'm missing something? The various references to "illegal user" and "invalid user" suggest an independent reason why sshd or PAM don't like this account. You'd get this if, for example, you had set AllowUsers and this account were not listed. Perhaps there's something else wrong with this account that PAM checks, e.g. it has a shell not in /etc/shells? This seems familiar to me... -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
