search for: kerberosauthentication

...into the Samba4 AD server as a domain user: labmac:~ mark$ ssh mark at mail pwd mark at mail's password: Permission denied, please try again. where 'mail' is the AD/DC. It also fails if I am on the AD/DC an try the same ssh. I've tried setting either the GSSAPIAuthentication or KerberosAuthentication in /etc/ssh/sshd_config, but those don't help. I get: Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess config line 89: Unsupported option GSSAPIAuthentication Dec 1 06:09:22 mail sshd[8645]: Failed password for...

...try again. > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't > > > > help. I get: Stop here. If you have root privileges, add a *local* account on the relevant system, and log in using the Kerberos credentials. If those don't work, you have other issues. Also, just because a host is an AD server...

...where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]:...

...in the Kerberos code for existing vs nonexistent users. See the thread in the URL. To summarise the thread: Senthil Kumar said: > I tested [with the patch in bug #971 - dt] OpenSSH-3.9p1 with the following > options in sshd configuration > > ChallengeResponseAuthentication `no` > KerberosAuthentication `yes` > passwordauthentication `yes` > > but it shows difference in time for the appearance of password prompts for > both valid and invalid users. The code shows PAM-password Authentication is > not attempted when KerberosAuthentication is enabled. So by disabling > kerberosA...

...> Permission denied, please try again. > > > > > > where 'mail' is the AD/DC. > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > I've tried setting either the GSSAPIAuthentication or > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't > > > help. I get: > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > > > config line 89: Unsupported option...

...where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]:...

Is something special required for KerbV auth to work? I've enabled: KerberosAuthentication yes on some test boxes and it doesn't work. I do a kinit, and then ssh and it asks for a password. If you don't provide one, you don't get in. Also, th...

...ing like this would do the job in sshd_config: #general config #... Match User foo LocalAddress 10.0.0.1,fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication yes Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAA...

...E_ACCEPT debug1: authentications that can continue: kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased debug1: no more auth methods to try Permission denied (kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased). debug1: Calling cleanup 0x80641a4(0x0) I've put KerberosAuthentication yes into ssh_config. I'm not an expert, so any advice about what I'm missing would be greatly appreciated. TIA.

Hi. I wonder if it would be possible to implement support for a user-specific sshd_config. The primary reason is that I would like the ability to specify that I'm only allowed to login with a key pair, even though the system-wide sshd configuration still allows passwords for other users. Of course, a user-specific sshd_config file should not be able to break the security policy of the

...The required defines are in openbsd-compat/readpassphrase.h, and they assume that HAVE_READPASSPHRASE is undefined. If I undefine HAVE_READPASSPHRASE, make clean, and make, everything compiles, but when I try to turn on sshd, I get: /usr/local/etc/sshd_config: line 68: Bad configuration option: KerberosAuthentication /usr/local/etc/sshd_config: line 69: Bad configuration option: KerberosOrLocalPasswd /usr/local/etc/sshd_config: line 70: Bad configuration option: KerberosTicketCleanup /usr/local/etc/sshd_config: line 74: Bad configuration option: AFSTokenPassing /usr/local/etc/sshd_config: line 77: Bad configura...

...subscribed to this list, so please respond directly if you need to speak to me] In man5/sshd_config.5, a permissible keyword in a 'Match' block is missing. It currently lists only: AllowTcpForwarding, Banner, ForceCommand, GatewayPorts, GSSApiAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, PasswordAuthentication, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding, and X11UseLocalHost. >From recent testing in setting up a chroot'd SFTP-only environment (thank you for that!), the following is also permissible: ChrootDirect...

...> Select kerberos winbind and unix ( and keep other defaults as is ) I didnt found "kerberos" in the selection-list. But with "libpam-krb5" installed it is shown. @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? I see to select: # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes What should I enable from these? > > Type id username > You see a correct shell and correct and existing homedir? $ LANG=POSIX id oliver uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),4(adm),24(cdro...

...run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no sshd has been started along with the following command-line configuration settings. # /opt/ssh/sbin/sshd -o "usepam yes" -o "challengeresponseauthentication no" -o "kerberosauthentication no" -o "passwordauthentication yes" -o "kerberosorlocalpasswd no" Authentication ,Password management modules were set to "libpam_krb5.so.1" and Session,Account management modules were set to "libpam_unix.so.1" in pam configuation file. During ssh co...

...e to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group: # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes KerberosTicketCleanup yes KerberosGetAFSToken yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the console, or through an SS...

...hostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver KerberosTgtPassing yes # Set thi...

...tModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes PrintLastLog no SyslogFacility AUTH LogLevel INFO RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no UsePAM yes #ChallengeResponseAuthentication no KerberosAuthentication no UseLogin no Banner /usr/local/etc/issue.net Subsystem sftp /usr/libexec/openssh/sftp-server MaxStartups 10:30:60 -- Nick Burrett Network Engineer, Designer Servers Ltd. http://www.dsvr.co.uk

...need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no

...et_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [domain_realm] .dsdev = DSDEV.LOCAL dsdev = DSDEV.LOCAL dsdev.local = DSDEV.LOCAL .dsdev.local = DSDEV.LOCAL /etc/ssh/ssd_config: ChallengeResponseAuthentication no KerberosAuthentication yes KerberosTicketCleanup yes KerberosGetAFSToken yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes /etc/resolv.conf: search dsdev.local ourdomain nameserver y.y.y.y. nameserver x.x.x.x /etc/pam.d/password-auth-ac: auth required pam_env.so auth [default=1 success=ok] pam_l...

...or # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSepar...