On Thu, 2008-11-27 at 23:08 +0000, Nigel J. Taylor wrote:
> If your are using Kerberos, then you need PasswordAuthentication yes in the
> sshd_config also.
>
> If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config
> and ssh_config. That is if your using ssh wf and don't expect a prompt for a
> password. The following is using GSSAPI (First a failure as no ticket).
>
> $ ssh me@rhea
> Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
> $ kinit me
> me@xxxxxxxxx's Password:
> $ ssh me@rhea
> Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk
> OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008
>
> Welcome to OpenBSD: The proactively secure Unix-like operating system.
>
> Please use the sendbug(1) utility to report bugs in the system.
> Before reporting a bug, please try to reproduce it with the latest
> version of the code. With bug reports, please try to ensure that
> enough information to reproduce the problem is enclosed, and if a
> known fix for it exists, include that as well.
>
> $ egrep "Authen" /etc/ssh/sshd_config
> # Authentication:
> PasswordAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication yes
> $ ^D
> Connection to rhea closed.
> $ hostname
> pandora.xxx.me.uk
>
> Regards
>
> Nigel Taylor
>
client:
kinit kerberos-test
[kerberos-test@night_crawler ~]$ kdestroy
[kerberos-test@night_crawler ~]$ kinit kerberos-test
kerberos-test@xxxxxxxxxxxxxx's Password:
[kerberos-test@night_crawler ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1013
Principal: kerberos-test@xxxxxxxxxxxxxx
Issued Expires Principal
Nov 28 19:32:28 Nov 29 05:32:31 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
[kerberos-test@night_crawler ~]$ ssh wf
Permission denied (publickey,gssapi-with-mic).
[kerberos-test@night_crawler ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1013
Principal: kerberos-test@xxxxxxxxxxxxxx
Issued Expires Principal
Nov 28 19:32:28 Nov 29 05:32:31 krbtgt/LOCALDOMAIN.DE@xxxxxxxxxxxxxx
Nov 28 19:34:42 Nov 29 05:32:31 host/wf.localdomain.de@xxxxxxxxxxxxxx
grep "Authen" /etc/ssh/ssh_config
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
GSSAPIAuthentication yes
server:
egrep "Authen" /etc/ssh/sshd_config
#RSAAuthentication yes
#PubkeyAuthentication yes
#RhostsRSAAuthentication no
#HostbasedAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
/usr/sbin/sshd -ed
.
.
.
Connection from MYCLIENTIP port 36001
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 99/99
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user kerberos-test service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "kerberos-test"
debug1: PAM: setting PAM_RHOST to "night_crawler.localdomain.de"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user kerberos-test service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 0
debug1: No credentials were supplied, or the credentials were
unavailable or inaccessible.
unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Connection closed by MYCLIENTIP
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
btw, hostname returns only the first part of the fqdn on both of my
systems.
