On Sun, Feb 03, 2002 at 09:19:32AM -0800, behnaz wrote: > I want to set up a kereros 5 client with kerberos-enbled openssh.I have configured > /etc/krb5.conf and /etc/pam.d/sshd and I have performed all necessary steps but > when i run kinit and try to ssh to this machine i can't authomatically login without password. PAM (or pam_krb5) can't perform passwordless logins using Kerberos. The pam_krb5 module provides authentication using a password and a means to get initial credentials at login-time, but that's not sufficient for doing what you want (because the module *needs* a password to be entered in order to do its job). To properly support Kerberos, your SSH client and server need to support Kerberos as a separate authentication method (alongside, say, using public keys). To my knowledge, neither SSH nor OpenSSH provide this in their default source trees. If you're using patches which add GSSAPI authentication to OpenSSH (I use Simon Wilkinson's, I don't know of others), then PAM isn't going to be involved at all. To use Simon's patches, you'll need a keytab on the SSH server with the proper key (for host/hostname@REALM) in it, and the server's sshd_config file will need to include these configuration directives: GssapiAuthentication yes GssapiKeyExchange yes GssapiUseSessionCredCache yes HTH, Nalin
