On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]> wrote:
>>>>>> "Nod" == Nod <[EMAIL PROTECTED]> writes: > > Nod> I've currently got a Heimdal KDC setup for testing. From the > Nod> testing network, I can succesfully get tickets via kinit, and ssh > Nod> with the ticket between servers. Now, I'm trying to get the > Nod> Windows desktop side working. Right now, I can authenticate > Nod> (using SecureCRT with Kerberos support) but only when I use kinit > Nod> from the Windows XP desktop. What I'm trying to do is get the > Nod> ssh server on the machine I'm accessing to carry out the kerberos > Nod> authentication, so I don't have to install kerberos software on > Nod> all our support staff's desktops, and put everyone's desktop in > Nod> the realm. Basically, ssh to the server with my kerberos > Nod> password, and have the server carry out the kerberos work for me. > >So, you want to do two entirely different things. When you kinit on >Windows, you are using ticket-based authentication and you have >single-signon. Now, you do not want to use Kerberos on the clients; you >want to use password authentication (no single-signon), and have the SSH >server validate the password against Kerberos. > >You have not said what SSH server you're using, or what server OS, or >indeed anything about the server at all. Assuming it's OpenSSH on Unix, >you can use this: > >PasswordAuthentication yes >KerberosAuthentication yes > >or, use keyboard-interactive authentication and configure PAM to use >Kerberos. OpenSSH_4.3p2, FreeBSD 6.0, in this case. PAM config for ssh u2:~# cat /etc/pam.d/sshd | grep krb auth sufficient pam_krb5.so no_warn try_first_pass account required pam_krb5.so password sufficient pam_krb5.so no_warn try_first_pass SSHD config PermitRootLogin yes PasswordAuthentication yes ChallengeResponseAuthentication yes KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes Subsystem sftp /usr/libexec/sftp-server SSH debug of connection attempt, in keyboard interactive mode. Invalid user [EMAIL PROTECTED] from ip input_userauth_request: invalid user [EMAIL PROTECTED] debug1: PAM: initializing for "[EMAIL PROTECTED]" debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com" Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 Failed none for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 debug1: userauth-request for user [EMAIL PROTECTED] service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: [EMAIL PROTECTED] devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 PAM: authentication error for illegal user [EMAIL PROTECTED] from nt1.myrealm.com Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 Failed keyboard-interactive/pam for invalid user [EMAIL PROTECTED] from ip port 3727 ssh2 Received disconnect from ip: 13: The user canceled authentication. This doesn't appear to have work, perhaps I'm missing something? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
