Carl,
Since my postings of last Sept, I have moved to ssh 2.4.0, so I decided to
try the Kerberos support again. No trouble compiling this time (against
Kerberos 1.2.1 libraries). The configuration options turn out to be a bit
different than you indicated back then, as I determined from looking at the
source code. They are:
AllowedAuthentications [EMAIL PROTECTED],[EMAIL PROTECTED]
What I find is that Kerberos password authentication (ie, 'proxy' auth)
works -- sshd accepts either my Kerberos passphrase or my Unix password --
but I can't get Kerberos credential authentication to work. With the above
statement in my sshd2_config, even if I have first obtained a TGT, I'm
still prompted for a password and my Kerberos or Unix passwords do work.
It seems my credential is just ignored. In my test, the client and server
are the same machine and I made sure the above configuration appears in
both sshd2_config and ssh2_config.
Is there something else I should be doing?
Thanks.
Mike
==============================================`
On Fri Sep 15 13:53:42 2000, Carl J. Nobile said:
> Okay configuration is simple.
>
> This is from the patch info I got from Anne:
>
> Note that you may need to edit /etc/ssh2/sshd2_config to add
> "kerberos-tgt" and "kerberos" to AllowedAuthentications. You may also
> need to edit the AllowedAuthentications line in the client's
> configuration file (/etc/ssh2/ssh2_config and/or ~/.ssh2/ssh2_config)
> to add these methods on the AllowedAuthentications line. (Note that
> they are all allowed by default, but the default
> /etc/ssh2/sshd2_config file contains an AllowedAuthentications line
> that disables them. In my opinion we should comment out the
> AllowedAuthentications line from the default config file that installs
> with the distribution.)
>
> This patch set should implement the same level of Kerberos support
> that SSH1 has, i.e.:
> - Authenticating to remote host using Kerberos credentials
> - Authenticating to remote host using forwardable TGT (ticket
> granting ticket) and passing TGT to remote host for single sign-on
> - Kerberos password authentication, plus implicit "kinit -f" (i.e.,
> when logging in using Kerberos password, the ticket granting
> ticket is added to user's credentials for single sign-on)
> - supports local name being different from kerberos name and
> cross-realm authentication (i.e., the <user>@<realm> syntax for -l).
----------------------------------------------------------------------------
Mike Friedman [EMAIL PROTECTED]
System & Network Security +1-510-642-1410
University of California at Berkeley http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------
