I have been mis-quoted below, the section of sshd_config
file is not from me. I was suggesting that you not allow
passwords at all, but allow GSSAPI. Don't let sshd do any
Kerboers or AFS calls directly (gss are OK), but rely on
PAM to do this.
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPassword no
GSSAPIAuthenticaiton yes
GSSAPICleanupCredentials yes
El Barto wrote:
On Mon, 19 Feb 2007 21:25:08 +0100
Bastian <[EMAIL PROTECTED]> wrote:
On Mon, 19 Feb 2007 10:14:56 -0600
"Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
KerberosAuthentication yes
KerberosAuthentication no
#KerberosGetAFSToken yes
KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosOrLocalPassword no
KerberosTicketCleanup yes
KerberosTicketCleanup no
# GSSAPI options
GSSAPIAuthentication no
GSSAPIAuthenticaiton yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
Try GSSAPIAuthentication instead of KerberosAuthentication. GSSAPI
stands for Kerberos 5 in this case. Maybe differences between K4 en K5
cause the realm name problem.
I don have the Kerberos*-entries in my sshd_conf, and pam_krb5 &
pam_openafs-session work fine (Debian Sarge and Debian Etch)
Bastian
The thing is that does the same on a physical login.
Can you paste your pam configuration for your Debian Etch please ?
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
