Julius wrote: > On Thu, 2008-11-27 at 23:08 +0000, Nigel J. Taylor wrote: >> If your are using Kerberos, then you need PasswordAuthentication yes in the >> sshd_config also. >> >> If your using GSSAPI then you need GSSAPIAuthentication yes in the sshd_config >> and ssh_config. That is if your using ssh wf and don't expect a prompt for a >> password. The following is using GSSAPI (First a failure as no ticket). >> >> $ ssh me@rhea >> Permission denied (publickey,gssapi-with-mic,keyboard-interactive). >> $ kinit me >> me@xxxxxxxxx's Password: >> $ ssh me@rhea >> Last login: Thu Nov 27 22:42:21 2008 from pandora.xxx.me.uk >> OpenBSD 4.4-stable (GENERIC) #3: Tue Nov 11 00:54:23 GMT 2008 >> >> Welcome to OpenBSD: The proactively secure Unix-like operating system. >> >> Please use the sendbug(1) utility to report bugs in the system. >> Before reporting a bug, please try to reproduce it with the latest >> version of the code. With bug reports, please try to ensure that >> enough information to reproduce the problem is enclosed, and if a >> known fix for it exists, include that as well. >> >> $ egrep "Authen" /etc/ssh/sshd_config >> # Authentication: >> PasswordAuthentication no >> KerberosAuthentication no >> GSSAPIAuthentication yes >> $ ^D >> Connection to rhea closed. >> $ hostname >> pandora.xxx.me.uk >> >> Regards >> >> Nigel Taylor >> > > > Hi, > > its been some time but i just hate it to find "wrong" information for > good software. > PasswordAuthentication yes is NOT needed for GSSAPI to work as stated in > the first line. > the egrep later shows the truth :) > > > greets > > Hi, You are correct for GSSAPIAuthentication PasswordAuthentication no is correct as in the example provided by the egrep. My first line should have read "If you are using KerberosAuthentication" not just Kerberos, there was meant to be two different answers, maybe I should have included a Or between them. Both answers were provided as is was unclear if you were expecting to use GSSAPIAuthentication or KerberosAuthentication or both. For KerberosAuthentication to work PasswordAuthentication yes has to be used (the default setting is PasswordAuthentication yes - according to my man pages for sshd_config). The PasswordAuthentication yes with GSSAPIAuthentication yes is required if you want a fall back to password authentication, when GSSAPIAuthentication fails. The setting PasswordAuthentication yes/no depends on the way you want ssh to work when using GSSAPIAuthentication. Regards Nigel Taylor
