search for: kerberosgetafstoken

hi, every time i enable the option "KerberosGetAFSToken yes" on a computer where the afs-client works fine i get a (/var/log/)message(s) like this: "sshd[1136]: rexec line 70: Unsupported option KerberosGetAFSToken". no one get a afs-token via ssh-login. i found this in sshd in suse9.3, suse 10.0 and fedora core 4 but i does not found any...

...nd and unix ( and keep other defaults as is ) I didnt found "kerberos" in the selection-list. But with "libpam-krb5" installed it is shown. @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? I see to select: # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes What should I enable from these? > > Type id username > You see a correct shell and correct and existing homedir? $ LANG=POSIX id oliver uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(p...

Hi All. Recently a change was merged from OpenBSD's sshd into Portable that implements a KerberosGetAFSToken option (patchset attached). This change causes compile errors with both MIT Kerberos and Heimdal (errors when compiled with MIT Kerberos below). I've figured out that the functions called in the new code are in Heimdal's libkafs, so adding -lkafs to the start for the Heimdal CFLAGS i...

...ved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group: # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes KerberosTicketCleanup yes KerberosGetAFSToken yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the console, or through an SSH connection. However, any other user account is not able to do so. When the...

...and send feedback. Changes in OpenBSD's OpenSSH and -Portable: - markus at cvs.openbsd.org 2003/11/17 11:06:07 replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob. - jakob at cvs.openbsd.org 2003/12/23 16:12:10 implement KerberosGetAFSToken server option. ok markus@, beck@ - markus at cvs.openbsd.org 2003/11/02 11:01:03 remove support for SSH_BUG_GSSAPI_BER; simon at sxw.org.uk Changes in -Portable only - (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ - (dtucker) [configur...

Here is a patch I just wrote and tested which may be of interest to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if Heimdal...

...true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [domain_realm] .dsdev = DSDEV.LOCAL dsdev = DSDEV.LOCAL dsdev.local = DSDEV.LOCAL .dsdev.local = DSDEV.LOCAL /etc/ssh/ssd_config: ChallengeResponseAuthentication no KerberosAuthentication yes KerberosTicketCleanup yes KerberosGetAFSToken yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes /etc/resolv.conf: search dsdev.local ourdomain nameserver y.y.y.y. nameserver x.x.x.x /etc/pam.d/password-auth-ac: auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignor...

...es # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depe...

...es # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depe...

...rberos" in the selection-list. But with "libpam-krb5" >> installed it is shown. >> >> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? >> I see to select: >> >> # Kerberos options >> #KerberosAuthentication no >> #KerberosGetAFSToken no >> #KerberosOrLocalPasswd yes >> #KerberosTicketCleanup yes >> >> What should I enable from these? >>> Type id username >>> You see a correct shell and correct and existing homedir? >> $ LANG=POSIX id oliver >> uid=1000(oliver) gid=1000(olive...

...> > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > installed it is shown. > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > I see to select: > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > What should I enable from these? > > > > Type id username > > You see a correct shell and correct and existing homedir? > $ LANG=POSIX id oliver > uid=1000(oliver) gid=1000(oliver) > > groups=...

...le. I am listing the changes that were made for the benefit of the group: > > > # Change to no to disable s/key passwords > ChallengeResponseAuthentication no > > # Kerberos options > KerberosAuthentication yes > #KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > KerberosGetAFSToken yes > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the > console, or through an SSH connection. However, any other user accoun...

...ht need full access to the X11 server, see ForwardX11Trusted in ssh(1) and xauth(1) for more information. * ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh(1) for more information. * Improved sftp(1) batch file support. * New KerberosGetAFSToken option for sshd(8). * Updated /etc/moduli file and improved performance for protocol version 2. * Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Fix a number of memory leaks. * The experimental "gssapi" s...

http://bugzilla.mindrot.org/show_bug.cgi?id=1180 Summary: Add finer-grained controls to sshd Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dtucker at

...eone may port Heimdal's libkafs to MIT Kerberos V. But until that happens I'd just wrap your new code inside #ifdef HEIMDAL blocks. On 2004-01-01 5:54:15, Darren Tucker wrote: > Hi All. > > Recently a change was merged from OpenBSD's sshd into Portable > that implements a KerberosGetAFSToken option (patchset attached). > > This change causes compile errors with both MIT Kerberos and > Heimdal (errors when compiled with MIT Kerberos below). > > I've figured out that the functions called in the new code are > in Heimdal's libkafs, so adding -lkafs to the start f...

...ht need full access to the X11 server, see ForwardX11Trusted in ssh(1) and xauth(1) for more information. * ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh(1) for more information. * Improved sftp(1) batch file support. * New KerberosGetAFSToken option for sshd(8). * Updated /etc/moduli file and improved performance for protocol version 2. * Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Fix a number of memory leaks. * The experimental "gssapi" s...

Hi all, and thanks for everyone's work on the 4.0 release! There's been recent discussion on the OpenSC mailing list about getting better/updated smartcard support into OpenSSH. Originating from an OpenSSH package maintainer's desire to keep dependencies to a minimum, the idea to load OpenSC dynamically popped up. Now the question is whether this is an approach that would be favored

1/ When I access with GSSAPIAuthentication & GSSAPIDelegateCredentials the option KerberosGetAFSToken does not work. The tickets are transfered correctly because the AFS tokens are obtained if the command afslog is inserted in /etc/ssh/sshrc file. 2/ When multiple realms are defined in /etc/krb5.conf sshd uses only the first default realm for kerberos password authentication. However gssapi access...

...PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass...

...> > I didnt found "kerberos" in the selection-list. But with "libpam-krb5" > installed it is shown. > > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config? > I see to select: > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > What should I enable from these? > > > > Type id username > > You see a correct shell and correct and existing homedir? > $ LANG=POSIX id oliver > uid=1000(oliver) gid=1000(oliver) > > groups=...