Subject: Re: Centralized User and Password Management
To: None <netbsd-users@NetBSD.org>
From: Jukka Salmi <j+nbsd@2004.salmi.ch>
List: netbsd-users
Date: 11/24/2004 21:54:00
Tillman Hodgson --> netbsd-users (2004-11-24 10:41:00 -0600):
> On Wed, Nov 24, 2004 at 05:19:32PM +0100, Jukka Salmi wrote:
> > Yes, sshd (at least on NetBSD 2.0 and -current) seems to be able to
> > authenticate against a kdc (if KerberosAuthentication is set to 'yes').
[...]
> 
> Note that KerberosAuthentication is for the the OpenSSH version 1
> protocol, which you probably don't want to use. You'll find that newer
> OpenSSH version suppose GSSAPI options which are the preferred path
> forward.

Hmm, AFAICT I explicitly disabled protocol version 1:

$ grep ^Proto /etc/ssh/sshd_config                                             
Protocol 2

and ssh -v from a client to this host prints:

$ ssh -v user@host
OpenSSH_3.6.1 NetBSD_Secure_Shell-20030917, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
[...]
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.6.1 NetBSD_Secure_Shell-20030917
debug1: match: OpenSSH_3.6.1 NetBSD_Secure_Shell-20030917 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1 NetBSD_Secure_Shell-20030917
[...]
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,kerberos-2@ssh.com
debug1: Next authentication method: kerberos-2@ssh.com
debug1: Authentication succeeded (kerberos-2@ssh.com).
[...]

...and if I don't have a TGT on the client I'm asked for the Kerberos
password, so this works fine, too.

Am I missing something?


Regards, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~