Dear list members, I have setted openssh to work with kerberos. My initial ideia is to permit credential (tickets) or login password (/etc/passwd). In order to achieve so, i have the following (relevant part only) configuration:
GSSAPIAuthentication yes KerberosAuthentication no KerberosGetAFSToken no KerberosOrLocalPasswd no KerberosTicketCleanup yes PasswordAuthentication yes I created a user with "*" password to force GSSAPI authentication. I got surprised when without having pulled the ticket (and remenber, with a "*" password entry in /etc/passwd) the user was still allowed to login by providing a password (from the kerberos server principal) Now, an explanation: PasswordAuthentication Use this directive to specify if a password must be accepted as proof of identity at login. If KerberosAuthentication is disabled, the login password is sufficient. However, when KerberosAuthentication is also enabled, the Kerberos Server password is accepted as a proof of identity. Does anybody know where am i wrong? PS: I am using openbsd 4.0 stable.
