SSH with kerberos auth doesn't provide a ticket

C. L. Martinez carlopmart at gmail.com
Wed Jan 25 09:58:28 UTC 2017 

On Tue, Jan 24, 2017 at 11:45:30PM -0800, Matt Mullins wrote:
> On Tue, Jan 24, 2017 at 11:25 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> > Hi all,
> >
> >  I have a strange problem with ssh when kerberos auth is used. We have three kerberos servers based on MIT kerberos. I have configured a FreeBSD 11-RELEASE virtual guest to authenticate against these kerberos servers. Auth works ok, but ssh doesn't request a kerberos ticket (I am connecting from a Windows 10 workstation with putty):
> 
> When you say "auth works ok", I assume that means that PuTTY does not
> prompt for a password?  If it does prompt for a password, you are
> definitely not using GSSAPI at the ssh-connection layer (even if that
> password is being checked against a KDC on the ssh server).
> 
> >  I have enabled th following options in sshd_config:
> >
> > # Kerberos options
> > KerberosAuthentication yes
> 
> You probably don't need that, if you've got mod_krb5.so in your PAM
> config.  This only applies when PasswordAuthentication is negotiated
> for an SSH session, anyway.
> 
> >  It is strange because this "problem" only appears with FreeBSD, all others linux doesn't have this problem.
> >
> >  What am I doing wrong?
> 
> When you configure your PuTTY connection for your FreeBSD machine,
> make sure you check the "Allow GSSAPI credential delegation" in
> Connection -> SSH -> Auth -> GSSAPI.  Seems to work for me.

Thanks Matt for your answer. But it is not a problem with PuTTY. Using default config that comes with putty, when I do a ssh login to a CentOS or RHEL server with kerberos auth enabled, ticket is requested and works.

Maybe is a problem with my PAM's config.

/etc/pam.d/system

#
# $FreeBSD$
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail

# password
password        sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass


and /etc/pam.d/sshd

#
# $FreeBSD$
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
password        sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

-- 
Greetings,
C. L. Martinez

More information about the freebsd-questions mailing list