On 19 Jun 2006 23:09:01 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]> wrote:
>> >> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]> >> wrote: >> >>>>>> "Nod" == Nod <[EMAIL PROTECTED]> writes: >> > >> > Nod> I've currently got a Heimdal KDC setup for testing. From the >> > Nod> testing network, I can succesfully get tickets via kinit, and ssh >> > Nod> with the ticket between servers. Now, I'm trying to get the >> > Nod> Windows desktop side working. Right now, I can authenticate >> > Nod> (using SecureCRT with Kerberos support) but only when I use kinit >> > Nod> from the Windows XP desktop. What I'm trying to do is get the >> > Nod> ssh server on the machine I'm accessing to carry out the kerberos >> > Nod> authentication, so I don't have to install kerberos software on >> > Nod> all our support staff's desktops, and put everyone's desktop in >> > Nod> the realm. Basically, ssh to the server with my kerberos >> > Nod> password, and have the server carry out the kerberos work for me. >> > >> >So, you want to do two entirely different things. When you kinit on >> >Windows, you are using ticket-based authentication and you have >> >single-signon. Now, you do not want to use Kerberos on the clients; you >> >want to use password authentication (no single-signon), and have the SSH >> >server validate the password against Kerberos. >> > >> >You have not said what SSH server you're using, or what server OS, or >> >indeed anything about the server at all. Assuming it's OpenSSH on Unix, >> >you can use this: >> > >> >PasswordAuthentication yes >> >KerberosAuthentication yes >> > >> >or, use keyboard-interactive authentication and configure PAM to use >> >Kerberos. >> >> OpenSSH_4.3p2, FreeBSD 6.0, in this case. >> >> PAM config for ssh >> u2:~# cat /etc/pam.d/sshd | grep krb >> auth sufficient pam_krb5.so no_warn >> try_first_pass >> account required pam_krb5.so >> password sufficient pam_krb5.so no_warn >> try_first_pass > >Since the PAM config is order-dependent, grepping out certain lines does >not show whether it would work, or even if these lines would be consulted >at all. > >> SSHD config >> PermitRootLogin yes >> PasswordAuthentication yes >> ChallengeResponseAuthentication yes >> KerberosAuthentication yes >> KerberosOrLocalPasswd yes >> KerberosTicketCleanup yes >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> UsePAM yes >> Subsystem sftp /usr/libexec/sftp-server >> >> >> >> SSH debug of connection attempt, in keyboard interactive mode. >> >> Invalid user [EMAIL PROTECTED] from ip >> input_userauth_request: invalid user [EMAIL PROTECTED] >> debug1: PAM: initializing for "[EMAIL PROTECTED]" >> debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com" >> Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 >> Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 >> debug1: userauth-request for user [EMAIL PROTECTED] service ssh-connection >> method keyboard-interactive >> debug1: attempt 1 failures 1 >> debug1: keyboard-interactive devs >> debug1: auth2_challenge: [EMAIL PROTECTED] devs= >> debug1: kbdint_alloc: devices 'pam' >> debug1: auth2_challenge_start: trying authentication method 'pam' >> Postponed keyboard-interactive for invalid user [EMAIL PROTECTED] from ip >> port 3727 ssh2 >> PAM: authentication error for illegal user [EMAIL PROTECTED] from >> nt1.myrealm.com >> Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip >> port 3727 ssh2 >> Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip >> port 3727 ssh2 >> Received disconnect from ip: 13: The user canceled authentication. > >> This doesn't appear to have work, perhaps I'm missing something? > >The various references to "illegal user" and "invalid user" suggest an >independent reason why sshd or PAM don't like this account. You'd get >this if, for example, you had set AllowUsers and this account were not >listed. Perhaps there's something else wrong with this account that PAM >checks, e.g. it has a shell not in /etc/shells? > >This seems familiar to me... Here's the whole pam config for ssh: # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass As for the user, no, it doesn't exist on the box. This might be where I'm running into a problem. Right now, this box only has its' root user and various system accounts on it. Here's what I'm trying to do: - Set up kerberos users for my various support techs. This is done, and I can kinit from the servers as those users. - Allow the kerberos users login access to the servers, and eventually, sudo access. Right now, I've not added any local users to the servers themselves, as I was under the impression that having them in Kerberos would make them a 'virtual' user of sorts. Am I missing something here, or do I have a fundemental misunderstanding on something? Your input is greatly appreciated. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos