Date: Wed, 16 Mar 2005 11:18:34 +0100 From: Vladimir Dvorak <dvorakv@vdsoft.org> To: freebsd-questions@freebsd.org Subject: SSH with Kerberos authentication Message-ID: <423807FA.1010900@vdsoft.org>
next in thread | raw e-mail | index | archive | help
Hi *,
I get stucked for several hours with configuring SSH authentication via Kerberos. I tested the same configuration on Linux and there was no problem.
I suspect pam_krb5.so.
My requisities:
FreeBSD 5.3-RELEASE-p5
Kerberos comming with base system (heimdal implementation (Heimdal 0.6.1))
in /etc/krb5.conf
[libdefaults]
default_realm = ATREY
[realms]
ATREY = {
kdc = 172.16.10.1
kpasswd_server = 172.16.10.1
}
[logging]
kdc = FILE:/var/log/kdc.log
kdc = SYSLOG:DEBUG
default = SYSLOG:DEBUG:USER
[appdefaults]
kinit = {
forwardable= true
}
[kdc]
database = {
realm = ATREY
}
require-preauth = no
v4-realm= ATREY
key-file = /var/heimdal/heimdal.mkey
in /etc/pam.d/sshd have:
auth sufficient pam_krb5.so try_first_pass debug
auth required pam_unix.so
account required pam_krb5.so debug
session optional pam_krb5.so debug
password sufficient pam_krb5.so debug
>From client view :
....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dvorakv/.ssh/identity
debug1: Trying private key: /home/dvorakv/.ssh/id_rsa
debug1: Trying private key: /home/dvorakv/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
pam_krb5: pam_sm_authenticate: Kerberos 5 error
pam_krb5: pam_sm_authenticate: Kerberos 5 refuses you
At server site in /var/log/auth.log there is notning to public. :-( In /var/log/kdc.log :
What more - "debug" parameter standing after pam_krb5.so doesn`t increase verbosity of output.
Here is my configuration method:
1.kstash
Password: xxxx
2. edit /etc/krb5.conf
3. kadmin -l
kadmin> init ATREY
..
4. add principals
kadmin> add dvorakv
....
5. run kdc,kpasswd,kadmind
/etc/rc.d/{kerberos,kadmind,kpasswd} start
6. test if i can get a ticket
kinit dvorakv
password: xxxx
dvorakv@atrey:~$ kinit dvorakv
dvorakv@ATREY's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
^^^^ everything ok, but SSH and PAM! :-(
And the last remark - this server runs in jail(8) - but there shouldn`t be a problem.
Any ideas ? Is /etc/pam.d/sshd correct ? Is there anything what I am missing ? Is there anything special in FreeBSD besides Linux.
Thank you, Vladimir
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?423807FA.1010900>