OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Douglas E. Engert
deengert at anl.gov
Thu Dec 1 23:50:51 EST 2005
Darren Tucker wrote:
> On Wed, Nov 30, 2005 at 02:48:43PM -0600, Douglas E. Engert wrote:
>
>>Sort of. Either pam_krb5 (if using "ChallangeResponse yes") or sshd
>>directly with "KerberosAuthentication yes" will use the username and password
>>to get a ticket granting ticket (TGT).
>
>
> Minor nitpick: PasswordAuthentication also uses PAM in 3.9p1 and up
> (and 3.6.1p2 and below), so for current versions the first part of
> that would more correctly be "UsePAM yes" and either (or both) of
> "ChallengeResponseAuthentication yes" and "PasswordAuthentication yes".
>
It also looks like it depends on if sshd was compled with --with-kerberos5
It looks like in auth-passwd.c in auth_password() will call
auth_krb5_password before the test for use_pam. auth_krb5_password calls
Kerberos directly. (I am looking at OpenSSH-4.1p1)
So in effect it could try the Kerberos password twice once via auth_krb5_password
and once via pam_krb5. I think we have seen this, but never knew why!
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list