Javier, Im trying ticket auth, password auth against AD (KDC) (krb+ldap pam) is working fine:
mmezzano...@os112:~> klist Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx Default principal: [email protected] Valid starting Expires Service principal 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/[email protected] renew until 01/05/10 13:58:36 01/04/10 14:09:23 01/04/10 23:58:37 host/[email protected] renew until 01/05/10 13:58:36 i got this tickets doing ssh with password auth but now i have tickets i want to use ssh without password (just tickets) thank you, marcello On Mon, Jan 4, 2010 at 3:41 PM, Javier Palacios <[email protected]> wrote: >> login as: mmezzanotti >> Using keyboard-interactive authentication. >> Password: >> Last login: Wed Dec 30 14:00:19 2009 from localhost >> Have a lot of fun... >> mmezzano...@os112:~> ls >> bin Documents Music Public Templates >> Desktop Download Pictures public_html Videos >> mmezzano...@os112:~> klist >> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/[email protected] >> renew until 01/05/10 13:58:36 > > I'm not sure if you are actually testing ticket authentication, but > just kerberos password authentication (by far much easier). > To actually check what you want, I recommend you start working just on > the linux node, and enter as whichever user. then > # kinit mmezzanotti > # ssh mmezzano...@os112 > If it does ask you for password, then credential authentication is not > working. And depending if your TGT was proxyable or not, you might > even end with void output from klist. > > Someone answered about the need of a host keytab to achieve this. As > far as I remember that is not mandatory for linux (or wasn't for a > debian in 2004), but take into account. > >> mmezzano...@os112:~> ssh -vvv [email protected] >> > > Try adding 'debug' to all pam.d lines on kerberos. That will produce a > much less verbose and hopefully more useful info. > -- Marcello Mezzanotti <[email protected]> http://blogdomarcello.wordpress.com Information Security UNIX / Linux / *BSD ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
