heimdal kerberos & ssh

Stijn Hoop stijn at win.tue.nl
Wed Aug 31 11:23:04 GMT 2005


I'm trying to setup a Kerberos realm, on a 5.4-STABLE box using the
base heimdal version.

I have succesfully created the database and I can get a ticket using

Now I'm trying to setup the ssh service so that it authenticates to
the kerberos server, and so that it saves the ticket to the
credentials cache. However that last point is not working:

[stijn at firsa] <~> grep stijnkrb /etc/passwd
stijnkrb:*:1004:1004:stijn kerb test:/home/stijnkrb:/usr/local/bin/zsh
[stijn at firsa] <~> ssh stijnkrb at localhost
Last login: Wed Aug 31 13:11:15 2005 from localhost.lzee.
firsa% klist
klist: No ticket file: /tmp/krb5cc_1004

So it seems that the authentication is working, however the TGT is not
being saved.

I have modified /etc/pam.d/sshd as follows:

# auth
auth            required        pam_krb5.so             no_warn try_first_pass

# account
account         required        pam_krb5.so

# session
session         required        pam_permit.so

# password
password        required        pam_krb5.so             no_warn try_first_pass

Which to my mind should allow only kerberos accounts to login.
However, sshd happily passes authentication for local-only accounts as
well! I do have UsePAM yes in /etc/ssh/sshd_config, although the text
suggested this as the default.

Not knowing much about pam, is this not the right thing to do? I have tried
variations on this but it seems that it's not helping any... Adding a
'ccache' option to the auth line for pam_krb5 didn't help either.

Is there an introductory document on PAM available online somewhere? Or better
a working setup with pam_krb5 on FreeBSD 5.x/6.x?



Nostalgia ain't what it used to be.

More information about the freebsd-questions mailing list