heimdal kerberos & ssh
stijn at win.tue.nl
Wed Aug 31 11:23:04 GMT 2005
I'm trying to setup a Kerberos realm, on a 5.4-STABLE box using the
base heimdal version.
I have succesfully created the database and I can get a ticket using
Now I'm trying to setup the ssh service so that it authenticates to
the kerberos server, and so that it saves the ticket to the
credentials cache. However that last point is not working:
[stijn at firsa] <~> grep stijnkrb /etc/passwd
stijnkrb:*:1004:1004:stijn kerb test:/home/stijnkrb:/usr/local/bin/zsh
[stijn at firsa] <~> ssh stijnkrb at localhost
Last login: Wed Aug 31 13:11:15 2005 from localhost.lzee.
klist: No ticket file: /tmp/krb5cc_1004
So it seems that the authentication is working, however the TGT is not
I have modified /etc/pam.d/sshd as follows:
auth required pam_krb5.so no_warn try_first_pass
account required pam_krb5.so
session required pam_permit.so
password required pam_krb5.so no_warn try_first_pass
Which to my mind should allow only kerberos accounts to login.
However, sshd happily passes authentication for local-only accounts as
well! I do have UsePAM yes in /etc/ssh/sshd_config, although the text
suggested this as the default.
Not knowing much about pam, is this not the right thing to do? I have tried
variations on this but it seems that it's not helping any... Adding a
'ccache' option to the auth line for pam_krb5 didn't help either.
Is there an introductory document on PAM available online somewhere? Or better
a working setup with pam_krb5 on FreeBSD 5.x/6.x?
Nostalgia ain't what it used to be.
More information about the freebsd-questions