Hello freebsd-security! What is the best way to authenticate remote ssh users transparantly without typing the kinit and kdestroy commands? Using pam_krb5 works satisfactorily for local logins but makes it crooked for remote ssh ones. The comp.protocols.kerberos and comp.security.ssh newsgroups and the pam-krb5-users maillist confirm this assertion. As far as I understood that using kerberized login.krb5 tool implys removing (or hiding) native login program and substituting it by the login.krb5, say as symbolic link, isn't it? The possibility of selecting one of two or more authentication methods as in case of pam may be useful say if I need to pass users to exploiting kerberized applications gradually, and even more that when I suffering problems with my KDCs or network connections. IMHO using pam_krb5 for kerberized login is some superfluous. -- Thanks in advance Illia Baidakov.
Hello Thursday, January 15, 2004, 4:57:49 PM, you wrote: ACJ> Have you tried the port 'openssh-portable'? I have been using it with ACJ> krb5 authentication for about a month. It seems to be working fine. Namely 3.7.1p2. After reading over the man sshd_config once again I have caught difference between KerberosAuthentication and GSSAPIAuthentication types and between them and using pam_krb5. Apologize for disturbance. -- Best regards, Illia Baidakov.