SSH with kerberos auth doesn't provide a ticket
C. L. Martinez
carlopmart at gmail.com
Wed Jan 25 09:58:28 UTC 2017
On Tue, Jan 24, 2017 at 11:45:30PM -0800, Matt Mullins wrote:
> On Tue, Jan 24, 2017 at 11:25 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> > Hi all,
> >
> > I have a strange problem with ssh when kerberos auth is used. We have three kerberos servers based on MIT kerberos. I have configured a FreeBSD 11-RELEASE virtual guest to authenticate against these kerberos servers. Auth works ok, but ssh doesn't request a kerberos ticket (I am connecting from a Windows 10 workstation with putty):
>
> When you say "auth works ok", I assume that means that PuTTY does not
> prompt for a password? If it does prompt for a password, you are
> definitely not using GSSAPI at the ssh-connection layer (even if that
> password is being checked against a KDC on the ssh server).
>
> > I have enabled th following options in sshd_config:
> >
> > # Kerberos options
> > KerberosAuthentication yes
>
> You probably don't need that, if you've got mod_krb5.so in your PAM
> config. This only applies when PasswordAuthentication is negotiated
> for an SSH session, anyway.
>
> > It is strange because this "problem" only appears with FreeBSD, all others linux doesn't have this problem.
> >
> > What am I doing wrong?
>
> When you configure your PuTTY connection for your FreeBSD machine,
> make sure you check the "Allow GSSAPI credential delegation" in
> Connection -> SSH -> Auth -> GSSAPI. Seems to work for me.
Thanks Matt for your answer. But it is not a problem with PuTTY. Using default config that comes with putty, when I do a ssh login to a CentOS or RHEL server with kerberos auth enabled, ticket is requested and works.
Maybe is a problem with my PAM's config.
/etc/pam.d/system
#
# $FreeBSD$
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
and /etc/pam.d/sshd
#
# $FreeBSD$
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
--
Greetings,
C. L. Martinez
More information about the freebsd-questions
mailing list