https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #35 from [email protected] --- (In reply to Cy Schubert from comment #34) We seem to be discussing at least 3 different authentication mechanisms that could all properly be called "Kerberos authentication": 1) OpenSSH with GSSAPIAuthentication: the client passes a service ticket to the server. 2) OpenSSH with KerberosAuthentication: the server prompts the client for a password and those credentials are verified by the KDC. 3) OpenSSH with PAM and pam_krb5: according to the documentation (https://www.freebsd.org/cgi/man.cgi?query=pam_krb5&sektion=8&n=1) this also prompts for a password: It prompts the user for a password and obtains a new Kerberos TGT for the principal. The TGT is verified by obtaining a service ticket for the lo- cal host. When prompting for the current password, the authentication module will use the prompt "Password for <principal>:". I am trying to achieve authentication using a service ticket, without prompting the user for a password. I just want to confirm that we are pursuing the same solution here. Can this be done with PAM? On your other questions: I am testing using a FreeBSD client and server, with the only Linux machine being the FreeIPA KDC. The FreeBSD client config looks like this: ForwardX11Trusted yes GSSAPIAuthentication yes PubkeyAuthentication no VerifyHostKeyDNS yes KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 GSSAPIDelegateCredentials yes -- You are receiving this mail because: You are the assignee for the bug.
