Thanks for helping me to solve my problem about kerberos and openssh. I have installed required rpms for Rh7.1 : openssh-2.9p2-1eds.i386.rpm openssh-server-2.9p2-1eds.i386.rpm openssh-client-2.9p2-1eds.i386.rpm from Simon Wilkinsn Site. I have configured sshd_config and ssh_config to enable kerberos Authentication but I have got the same error in running sshd: Bad configuration option : kerberos Authentication I have installed openssh-3.0.2p1 and related patches for kerberos (openssh-3.0.2p1-krb5.patch and openssh-3.0.2p1-gssapi.patch ) In compiling I have enabled kerberos but it gives me an error for " not finding krb.h " .So I couldn't install openssh3.0.2 from tar file. If I am wrong in some phases please tell me , or any suggestions ? I really appritiate any help. Regards. Sara Steve Langasek wrote: > On Wed, Feb 13, 2002 at 02:50:46PM -0800, sara sodagar wrote: > > Hi > > I am using RH7.1 .I want to setup a Kerberos 5 client with > > Kerberos-enabled OPENSSH. > > > I have installed following rpms: > > > openssh-2.9p2-11.7 > > openssh-client-2.9p2-11.7 > > openssh-server-2.9p2-11.7 > > > pam-0.74-22 > > pam-krb5-1.31-1 > > pam-devel-0.74-22 > > > krb5-devel-1.2.2-12 > > krb5-libs-1.2.2-12 > > krb5-workstation-1.2.2.12 > > > I have attached my /etc/pam.d/sshd and /etc/pam.d/system-auth . > > I run kinit and then want to ssh to another kerberized machine > > without a password , but it promts to me for password. > > You're using the wrong tools for the job. pam_krb5 does NOT provide > passwordless access to remote Kerberized servers; it only verifies > provided passwords against a KDC by requesting a TGT on the user's > behalf. > > If you want passwordless, Kerberized SSH, you should look at Simon > Wilkinson's external-keyx patches to OpenSSH. There are several > different Kerberos options for SSH, but I understand this one is > considered the cleanest. You will have to change both your ssh client > and your ssh server (as Kerberos must be supported on both sides). > > Steve Langasek > postmodern programmer > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature
