From owner-freebsd-stable  Wed May 23 14:44:18 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id D907837B42C
	for <freebsd-stable@freebsd.org>; Wed, 23 May 2001 14:44:14 -0700 (PDT)
	(envelope-from nectar@nectar.com)
Received: from shade.nectar.com (gw.nectar.com [208.42.49.153])
	by gw.nectar.com (Postfix) with ESMTP
	id 2B81318CAA; Wed, 23 May 2001 16:44:14 -0500 (CDT)
Received: (from nectar@localhost)
	by shade.nectar.com (8.11.3/8.11.3) id f4NLiCT04720;
	Wed, 23 May 2001 16:44:12 -0500 (CDT)
	(envelope-from nectar)
Date: Wed, 23 May 2001 16:44:12 -0500
From: "Jacques A. Vidrine" <n@nectar.com>
To: Peter Losher <Peter.Losher@nominum.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: OpenSSH and Krb5, FreeBSD style...
Message-ID: <20010523164412.A540@shade.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	Peter Losher <Peter.Losher@nominum.com>, freebsd-stable@freebsd.org
References: <20010523111132.B441@shade.nectar.com> <Pine.NEB.4.33.0105231124500.9543-100000@shell1.nominum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.4.33.0105231124500.9543-100000@shell1.nominum.com>; from Peter.Losher@nominum.com on Wed, May 23, 2001 at 12:15:29PM -0700
X-Url: http://www.nectar.com/
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Wed, May 23, 2001 at 12:15:29PM -0700, Peter Losher wrote:
> Good news - I finally got the OpenSSH client to do Kerberos on my
> 4.3-RELEASE box (My problem was that I uncommented almost all of the
> Kerberos options, when only KerberosAuthenication was needed/supported)
> Ticket Authenication seems to work fine doing 'ssh -1',

Good.

> 'ssh -2' goes to password auth.

The OpenSSH v2 stuff doesn't do Kerberos (IV nor 5).

> Bad news, UW-IMAP suffers from the same linker problem <sigh>.  Also, SSHD
> refuses to take any Krb5 authentication, tkt or password.  

I'm confused -- above  you said that it `seems to  work fine' with the
v1 protocol.  Which SSHD are you talking about here?

> I installed  pam_krb5 from  ports, replaced  the commented  out Krb4
> line under  sshd with  one for pam_krb5.so,  and now  sshd segfaults
> whenever you type in a Kerberos password. <sigh>

Obviously that shouldn't happen, but the module is young and finicky.
Use the following for sshd/pam_krb5:

  auth    sufficient      pam_krb5.so try_first_pass 
  auth    required        pam_unix.so
  account sufficient      pam_krb5.so try_first_pass
  account required        pam_unix.so
  session sufficient      pam_krb5.so try_first_pass
  session required        pam_unix.so

> The joys of debugging - Any ideas?

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message