[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 20 Dec 2022 15:29:21 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #35 from amendlik@gmail.com ---
(In reply to Cy Schubert from comment #34)
We seem to be discussing at least 3 different authentication mechanisms that
could all properly be called "Kerberos authentication":
1) OpenSSH with GSSAPIAuthentication: the client passes a service ticket to the
server.
2) OpenSSH with KerberosAuthentication: the server prompts the client for a
password and those credentials are verified by the KDC.
3) OpenSSH with PAM and pam_krb5: according to the documentation
(https://www.freebsd.org/cgi/man.cgi?query=pam_krb5&sektion=8&n=1) this also
prompts for a password:
It prompts the user for a password and obtains a new Kerberos TGT for the
principal. The TGT is verified by obtaining a service ticket for the lo-
cal host.
When prompting for the current password, the authentication module will
use the prompt "Password for <principal>:".
I am trying to achieve authentication using a service ticket, without prompting
the user for a password. I just want to confirm that we are pursuing the same
solution here. Can this be done with PAM?
On your other questions: I am testing using a FreeBSD client and server, with
the only Linux machine being the FreeIPA KDC. The FreeBSD client config looks
like this:
ForwardX11Trusted yes
GSSAPIAuthentication yes
PubkeyAuthentication no
VerifyHostKeyDNS yes
KexAlgorithms
curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
GSSAPIDelegateCredentials yes
--
You are receiving this mail because:
You are the assignee for the bug.