On Sat, Jun 11, 2011 at 02:18:57PM +0800, Lee Eric wrote: > # Kerberos options > KerberosAuthentication yes
Aside: note that you almost certainly don't want this. "KerberosAuthentication" means "cleartext password authentication, checking the password against the KDC" To authenticate people using their Kerberos ticket you need: > GSSAPIAuthentication yes (which you already have), and preferably also: GSSAPIKeyExchange yes (this is a second form of ssh Kerberos authentication which takes advantage of Kerberos mutual authentication, to authenticate the server to the client as well as the client to the server. It means you don't need the known_hosts file, and the user is never prompted whether or not to accept the host key fingerprint when first connecting) > UsePAM yes You probably don't want that, unless you're also authenticating against PAM in the event that Kerberos fails. > And on client side, I'm getting the principle of the user huli then > try to login. > debug3: Not a RSA1 key file /root/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' That's broken; you should rm that file (or mv it out of the way). You can't use a PGP key or an X509-style private key as an SSH key. Regards, Brian. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
