Jon DeVree <[EMAIL PROTECTED]> writes: >> First, I'd strongly recommend pam_krb5 instead of >> KerberosAuthentication in sshd_config.
> Any reason in particular? This was all setup before I really knew what I > was doing and I never really went back and looked at how it was setup. KerberosAuthentication tells sshd to internally check passwords with Kerberos, but that code is specific to ssh and doesn't integrate with the rest of the system login practice. It's also likely that it won't handle things like password aging properly. I believe those options predated widespread use of PAM with ssh. Most of the testing and work for Kerberos login authentication goes into the Kerberos PAM module, which has a ton of options for things that you may need, handles password aging and changing (if you enable ChallengeResponseAuthentication in ssh), integrates with the rest of the PAM stack, and generally will make ssh logins work more like the other authentication on the system. It's not clear that the folks maintaining ssh are paying close attention to changes to the Kerberos API, whereas I promise to pay close attention to anything that changes the PAM module. :) The only time I'd use KerberosAuthentication in sshd is if I were running it on a system that doesn't support PAM. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
