Okay configuration is simple.
This is from the patch info I got from Anne:
Note that you may need to edit /etc/ssh2/sshd2_config to add
"kerberos-tgt" and "kerberos" to AllowedAuthentications. You may also
need to edit the AllowedAuthentications line in the client's
configuration file (/etc/ssh2/ssh2_config and/or ~/.ssh2/ssh2_config)
to add these methods on the AllowedAuthentications line. (Note that
they are all allowed by default, but the default
/etc/ssh2/sshd2_config file contains an AllowedAuthentications line
that disables them. In my opinion we should comment out the
AllowedAuthentications line from the default config file that installs
with the distribution.)
This patch set should implement the same level of Kerberos support
that SSH1 has, i.e.:
- Authenticating to remote host using Kerberos credentials
- Authenticating to remote host using forwardable TGT (ticket
granting ticket) and passing TGT to remote host for single sign-on
- Kerberos password authentication, plus implicit "kinit -f" (i.e.,
when logging in using Kerberos password, the ticket granting
ticket is added to user's credentials for single sign-on)
- supports local name being different from kerberos name and
cross-realm authentication (i.e., the <user>@<realm> syntax for -l).
Only Kerberos5 is supported (as is the case also with SSH1; MIT
considers Kerberos4 "dead" anyway).
Good luck, Carl
On 15-Sep-00 Mike Friedman wrote:
> On Fri Sep 15 11:43:21 2000, Carl J. Nobile said:
>
>> Make real sure that kerberos was made with shared libs. It doesn't
>> really matter to ssh, either way will work fine, but a ldd sshd2 won't
>> find the static libs. I had to tell ./configure to make the shared
>> libs
>> for kerberos. Below was my command line.
>>
>> ./configure --enable-shared --prefix=/usr/local/krb5-1.1.1
>> --without-krb4
>
> Carl,
>
> You're right; my mistake. I did build Kerberos with static libs.
>
> (I'm still wondering, though, why libcom_err was missing, since that
> library
> has existed in all the releases of Kerberos5).
>
> Anyway, assuming I now have Kerberos support in my ssh2/sshd2, where is
> the
> Kerberos-related documentation? I'm particularly interested in a
> couple
> of things right now:
>
> o the appropriate configuration options for using Kerberos
>
> o whether sshd does 'proxy' Kerberos authentication (ie, accepting a
> Kerberos password over the ssh connection and authenticating on
> behalf
> of the user principal), as well as validating Kerberos service
> tickets
> from a (kerberized) ssh client.
>
> Thanks.
>
> Mike
>
> ------------------------------------------------------------------------
> ----
> Mike Friedman [EMAIL PROTECTED]
> Communication & Network Services +1-510-642-1410
> University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef
> ------------------------------------------------------------------------
> ----
------------------------------------------------------------------------
E-Mail: Carl J. Nobile <[EMAIL PROTECTED]>
Date: 15-Sep-00 Phone: 315-453-2912 Ex. 5336
Time: 16:51:21 Fax: 315-479-0859
Software Engineering Group -- AppliedTheory Corp.
224 Harrison Street, 6th Floor, Syracuse, NY 13202
------------------------------------------------------------------------
