SSH with Kerberos authentication

Vladimir Dvorak dvorakv at vdsoft.org
Wed Mar 16 02:17:03 PST 2005 

Hi *,

I get stucked for several hours with configuring SSH authentication via Kerberos. I tested the same configuration on Linux and there was no problem.
 I suspect pam_krb5.so. 


My requisities:
 FreeBSD  5.3-RELEASE-p5
 Kerberos comming with base system (heimdal implementation (Heimdal 0.6.1))

in /etc/krb5.conf

[libdefaults]
                   default_realm = ATREY
[realms]
        ATREY = {
                kdc = 172.16.10.1
                kpasswd_server = 172.16.10.1
            }
[logging]
                   kdc = FILE:/var/log/kdc.log
                   kdc = SYSLOG:DEBUG
                   default = SYSLOG:DEBUG:USER

[appdefaults]
        kinit = {
                forwardable= true
        }

[kdc]
        database = {
        realm = ATREY
        }
 require-preauth = no
 v4-realm= ATREY
 key-file = /var/heimdal/heimdal.mkey



 in /etc/pam.d/sshd have:
auth            sufficient      pam_krb5.so      try_first_pass  debug
auth            required        pam_unix.so
account      required      pam_krb5.so debug
session       optional   pam_krb5.so  debug
password   sufficient      pam_krb5.so      debug

>From client view :

....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dvorakv/.ssh/identity
debug1: Trying private key: /home/dvorakv/.ssh/id_rsa
debug1: Trying private key: /home/dvorakv/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
pam_krb5: pam_sm_authenticate: Kerberos 5 error

pam_krb5: pam_sm_authenticate: Kerberos 5 refuses you

At server site in /var/log/auth.log there is notning to public. :-( In /var/log/kdc.log :



What more - "debug" parameter standing after pam_krb5.so doesn`t increase verbosity of output.

Here is my configuration method:

1.kstash 
Password: xxxx

2. edit /etc/krb5.conf
3. kadmin -l
kadmin> init ATREY
..
4. add principals
kadmin> add dvorakv
....
5. run kdc,kpasswd,kadmind
/etc/rc.d/{kerberos,kadmind,kpasswd} start
6. test if i can get a ticket 
kinit dvorakv
password: xxxx
dvorakv at atrey:~$ kinit dvorakv
dvorakv at ATREY's Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week
    
^^^^ everything ok, but SSH and PAM! :-(

And the last remark - this server runs in jail(8) - but there shouldn`t be a problem.


Any ideas ? Is /etc/pam.d/sshd correct ? Is there anything what I am missing ? Is there anything special in FreeBSD besides Linux.

Thank you, Vladimir

More information about the freebsd-questions mailing list