[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 20 Dec 2022 15:29:21 UTC

--- Comment #35 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #34)

We seem to be discussing at least 3 different authentication mechanisms that
could all properly be called "Kerberos authentication":

1) OpenSSH with GSSAPIAuthentication: the client passes a service ticket to the

2) OpenSSH with KerberosAuthentication: the server prompts the client for a
password and those credentials are verified by the KDC.

3) OpenSSH with PAM and pam_krb5: according to the documentation
(https://www.freebsd.org/cgi/man.cgi?query=pam_krb5&sektion=8&n=1) this also
prompts for a password:

     It prompts the user for a password and obtains a new Kerberos TGT for the
     principal.  The TGT is verified by obtaining a service ticket for the lo-
     cal host.

     When prompting for the current password, the authentication module will
     use the prompt "Password for <principal>:".

I am trying to achieve authentication using a service ticket, without prompting
the user for a password. I just want to confirm that we are pursuing the same
solution here. Can this be done with PAM?

On your other questions: I am testing using a FreeBSD client and server, with
the only Linux machine being the FreeIPA KDC. The FreeBSD client config looks
like this:

ForwardX11Trusted yes
GSSAPIAuthentication yes
PubkeyAuthentication no
VerifyHostKeyDNS yes
GSSAPIDelegateCredentials yes

You are receiving this mail because:
You are the assignee for the bug.