ldap, kerberos and ssh-krb5
I have a working installation with account information
in ldap, workstations accessing account information
via libnss-ldap and nscd. Further, a kerberos kdc with
principals matcing users in ldap. All machines have a
krb5.keytab. Home directories are currently served via
nfs from one server to the workstations.
Local login at workstations work by the use of
libpam-heimdal, for console and kdm. And the user
logging in gets a ticket granting ticket as expected.
One problem remains however with this centralized
setup: ssh between workstations, which I fail to get
working. It keeps asking for a password and does not
let anyone in.
OTOH, if I have local users on the machines (no ldap
service), the ssh-krb5 package work as expected. After
a kinit to get a valid tgt, a user can ssh another
machine and get a shell. In the process the user on
the ssh client machine gets a ticket for the server.
This works beautifylly with the default /etc/pam.d/ssh
file and no need to type a password.
But with the centralized account handling described
above I'm running out of options. Do I need to modify
the /etc/pam.d/ssh file although I do not want to send
any passwords over the network (even in a
ssh-session)?
Any help appreciated.
__________________________________
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
http://mobile.yahoo.com/learn/mail
Reply to: