Thanks mate. And btw, I use pam_afs_session in OpenSSH pam configuration, so do I have to comment out UsePAM?
Eric On Sun, Jun 12, 2011 at 1:09 AM, Brian Candler <[email protected]> wrote: > On Sat, Jun 11, 2011 at 02:18:57PM +0800, Lee Eric wrote: >> # Kerberos options >> KerberosAuthentication yes > > Aside: note that you almost certainly don't want this. > "KerberosAuthentication" means "cleartext password authentication, checking > the password against the KDC" > > To authenticate people using their Kerberos ticket you need: > >> GSSAPIAuthentication yes > > (which you already have), and preferably also: > > GSSAPIKeyExchange yes > > (this is a second form of ssh Kerberos authentication which takes advantage > of Kerberos mutual authentication, to authenticate the server to the client > as well as the client to the server. It means you don't need the known_hosts > file, and the user is never prompted whether or not to accept the host key > fingerprint when first connecting) > >> UsePAM yes > > You probably don't want that, unless you're also authenticating against PAM > in the event that Kerberos fails. > >> And on client side, I'm getting the principle of the user huli then >> try to login. > >> debug3: Not a RSA1 key file /root/.ssh/id_rsa. >> debug2: key_type_from_name: unknown key type '-----BEGIN' > > That's broken; you should rm that file (or mv it out of the way). You can't > use a PGP key or an X509-style private key as an SSH key. > > Regards, > > Brian. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
