Hide Forgot
Hi the sshd_config file in /etc/ssh contains the following lines: # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd no #AFSTokenPassing no #KerberosTicketCleanup no uncommenting these lines will cause an error claiming that the configuration directives are incorrect. This appears to be a brokenness in openssh - not in your build of it. However ssh'ing into a configured kerberos system does not succeed while using login from the same system on the same account does. I've checked the pam config for both and b/c of system-auth (pam_stack) they are both using more or less the same rules (excluding ssh's use of pam_limit) nevertheless something is broken - I'll relate more as I know it. thanks
This is a feature or "feature" of OpenSSH. If certain options (I tried AFSTokenPassing and KerberosTgtPassing myself, a month or two ago), aren't enabled at compile time, sshd will barf if they're used -- those won't be recognized at all. This isn't how it's usually done I think. -- e.g. from servconf.c --- [ ... ] #ifdef KRB4 oKerberosAuthentication, #endif /* KRB4 */ #ifdef AFS oKerberosTgtPassing, oAFSTokenPassing, #endif [ ... ] ---
OpenSSH doesn't yet support Kerberos 5 for authentication, and we're trying to stay away from using Kerberos IV auth for anything in the distribution. Local testing shows that sshd with PAM and pam_krb5 does operate correctly, so I'm not sure what to make of Seth's results otherwise.
This doesn't seem to me as a real bug (see comment #1, and comment #2). Maybe we could patch out the commented options from the config file but it doesn't seem to me to be worth the patch.