Hi Mike,
I found SSHing to my localhost didn't work very well, probably because I
don't have it configured as a Kerberos server. I have no problem logging
into a remote machine with SSH 2.4.0 without using a password as long as
I do a kinit first. You are correct about the option change, I just
changed my version of the source on SSH-1.4.0, but that's not necessary.
Carl
On 16-Jun-01 Mike Friedman wrote:
> Carl,
>
> Since my postings of last Sept, I have moved to ssh 2.4.0, so I decided
> to
> try the Kerberos support again. No trouble compiling this time
> (against
> Kerberos 1.2.1 libraries). The configuration options turn out to be a
> bit
> different than you indicated back then, as I determined from looking at
> the
> source code. They are:
>
> AllowedAuthentications [EMAIL PROTECTED],[EMAIL PROTECTED]
>
> What I find is that Kerberos password authentication (ie, 'proxy' auth)
> works -- sshd accepts either my Kerberos passphrase or my Unix password
> --
> but I can't get Kerberos credential authentication to work. With the
> above
> statement in my sshd2_config, even if I have first obtained a TGT, I'm
> still prompted for a password and my Kerberos or Unix passwords do
> work.
> It seems my credential is just ignored. In my test, the client and
> server
> are the same machine and I made sure the above configuration appears in
> both sshd2_config and ssh2_config.
>
> Is there something else I should be doing?
>
> Thanks.
>
> Mike
>
> ==============================================`
> On Fri Sep 15 13:53:42 2000, Carl J. Nobile said:
>> Okay configuration is simple.
>>
>> This is from the patch info I got from Anne:
>>
>> Note that you may need to edit /etc/ssh2/sshd2_config to add
>> "kerberos-tgt" and "kerberos" to AllowedAuthentications. You may also
>> need to edit the AllowedAuthentications line in the client's
>> configuration file (/etc/ssh2/ssh2_config and/or ~/.ssh2/ssh2_config)
>> to add these methods on the AllowedAuthentications line. (Note that
>> they are all allowed by default, but the default
>> /etc/ssh2/sshd2_config file contains an AllowedAuthentications line
>> that disables them. In my opinion we should comment out the
>> AllowedAuthentications line from the default config file that installs
>> with the distribution.)
>>
>> This patch set should implement the same level of Kerberos support
>> that SSH1 has, i.e.:
>> - Authenticating to remote host using Kerberos credentials
>> - Authenticating to remote host using forwardable TGT (ticket
>> granting ticket) and passing TGT to remote host for single sign-on
>> - Kerberos password authentication, plus implicit "kinit -f" (i.e.,
>> when logging in using Kerberos password, the ticket granting
>> ticket is added to user's credentials for single sign-on)
>> - supports local name being different from kerberos name and
>> cross-realm authentication (i.e., the <user>@<realm> syntax for
>> -l).
>
> ------------------------------------------------------------------------
> ----
> Mike Friedman [EMAIL PROTECTED]
> System & Network Security +1-510-642-1410
> University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef
> ------------------------------------------------------------------------
> ----
------------------------------------------------------------------------
E-Mail: Carl J. Nobile <[EMAIL PROTECTED]>
Date: 18-Jun-01 Phone: 315-453-2912 Ex. 5336
Time: 08:57:07 Fax: 315-479-0859
Software Engineering Group -- AppliedTheory Corp.
224 Harrison Street, 6th Floor, Syracuse, NY 13202
------------------------------------------------------------------------
