heimdal kerberos & ssh
Stijn Hoop
stijn at win.tue.nl
Wed Aug 31 11:23:04 GMT 2005
Hi,
I'm trying to setup a Kerberos realm, on a 5.4-STABLE box using the
base heimdal version.
I have succesfully created the database and I can get a ticket using
kinit.
Now I'm trying to setup the ssh service so that it authenticates to
the kerberos server, and so that it saves the ticket to the
credentials cache. However that last point is not working:
%%%
[stijn at firsa] <~> grep stijnkrb /etc/passwd
stijnkrb:*:1004:1004:stijn kerb test:/home/stijnkrb:/usr/local/bin/zsh
[stijn at firsa] <~> ssh stijnkrb at localhost
Password:
Last login: Wed Aug 31 13:11:15 2005 from localhost.lzee.
firsa% klist
klist: No ticket file: /tmp/krb5cc_1004
%%%
So it seems that the authentication is working, however the TGT is not
being saved.
I have modified /etc/pam.d/sshd as follows:
%%%
# auth
auth required pam_krb5.so no_warn try_first_pass
# account
account required pam_krb5.so
# session
session required pam_permit.so
# password
password required pam_krb5.so no_warn try_first_pass
%%%
Which to my mind should allow only kerberos accounts to login.
However, sshd happily passes authentication for local-only accounts as
well! I do have UsePAM yes in /etc/ssh/sshd_config, although the text
suggested this as the default.
Not knowing much about pam, is this not the right thing to do? I have tried
variations on this but it seems that it's not helping any... Adding a
'ccache' option to the auth line for pam_krb5 didn't help either.
Is there an introductory document on PAM available online somewhere? Or better
a working setup with pam_krb5 on FreeBSD 5.x/6.x?
Thanks,
--Stijn
--
Nostalgia ain't what it used to be.
More information about the freebsd-questions
mailing list