Date: Mon, 31 Dec 2007 14:07:09 -0600 From: Jacob Yocom-Piatt <jy-p@fixedpointgroup.com> To: freebsd-questions@freebsd.org Subject: ssh + kerberos: problems w/ -current to openbsd 4.2 KDC Message-ID: <47794BED.6090007@fixedpointgroup.com>
next in thread | raw e-mail | index | archive | help
have most of the machines here doing ssh authentication via kerberos
against a heimdal KDC running openbsd 4.2-release. the freebsd 7.0beta4
host i recently installed will not allow machines to ssh into it using
kerberos credentials but it (freebsd host) does successfully get and use
tickets from the KDC when
[gssapi]
correct_des3_mic = host/*@MYDOMAIN.COM
is added to /etc/krb5.conf.
nothing notable shows up in the KDC logs and the following appears in
/var/log/auth.log on the freebsd host:
Dec 31 12:46:48 databank1 sshd[24658]: error: ssh_msg_send: write
Dec 31 12:50:14 databank1 sshd[24690]: error: ssh_msg_send: write
the changes made on the freebsd host to accommodate kerberos
authentication were in /etc/ssh/sshd_config and /etc/pam.d/sshd,
respectively:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
auth sufficient pam_krb5.so no_warn
try_first_pass
account required pam_krb5.so
password sufficient pam_krb5.so no_warn
try_first_pass
where the lines in /etc/pam.d/sshd were simply uncommented and in the
original order. debugging outputs from a client trying to ssh into the
freebsd host are not very enlightening:
...
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
...
any clues as to what needs to be done to get this to work correctly
would be appreciated.
cheers,
jake
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47794BED.6090007>