SSH + Kerberos Password auth

Douglas E. Engert deengert at anl.gov
Fri Mar 5 02:29:05 EST 2004



Kumaresh wrote:
> 
> Hello,
> 
> I have a question about SSH with Kerberos password authentication .


Maybe I am misunderstanding your question. Do you mean when you send 
your user and password over the network to a remote machine? The sshd 
on that machine then uses your user and password to get kerberos tickets
and saves the tickets in the cache on that machine. 

> 
> Do I receive any host ticket to my client machine when I do ssh connection
> with Kerberos password authenticaiton? If dont,  why?

No not on the client. as you are not using Kerberos on the client, only
on the remote machine. In this case the client does not need any kerberos
code. 


> 
> If I login to remote machine through telnet with Kerberos Password
> authentication [through PAM-kerberos], then I can see the tickets with
> klist. But with the same setup for sshd, I cannot see the tickets with
> klist.

Is your kerberos password the same as the local machine password?
Whose kerberos are you using? What is in your sshd_config?
is a KRB5CCNAME environment variable set for you? 

It works for me, but we don't normally have this turned on, as the intent
of Kerberos is to get credentials on the local workstaion once, then use the
gssapi to authenticate and delegate to remote hosts. When uses as intended
the Kerberos password never leaves the local machine. And if you where
to use some Kerberos pre-auth you may not even have a Kerberos password 
to send!  
 


 

> 
> Thanks,
> Kumaresh
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444




More information about the openssh-unix-dev mailing list