OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Douglas E. Engert deengert at
Thu Dec 1 23:50:51 EST 2005

Darren Tucker wrote:

> On Wed, Nov 30, 2005 at 02:48:43PM -0600, Douglas E. Engert wrote:
>>Sort of. Either pam_krb5 (if using "ChallangeResponse yes") or sshd
>>directly with "KerberosAuthentication yes" will use the username and password
>>to get a ticket granting ticket (TGT).
> Minor nitpick: PasswordAuthentication also uses PAM in 3.9p1 and up
> (and 3.6.1p2 and below), so for current versions the first part of
> that would more correctly be "UsePAM yes" and either (or both) of
> "ChallengeResponseAuthentication yes" and "PasswordAuthentication yes".

It also looks like it depends on if sshd was compled with  --with-kerberos5
It looks like in auth-passwd.c in auth_password() will call
auth_krb5_password before the test for use_pam. auth_krb5_password calls
Kerberos directly. (I am looking at OpenSSH-4.1p1)

So in effect it could try the Kerberos password twice once via auth_krb5_password
and once via pam_krb5. I think we have seen this, but never knew why!


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list