On Tue, 2006-08-15 at 12:24 -0400, Steve Shockley wrote:
> Kerberos also sounded like a good idea, but if I understand correctly,
> the clients would need a Kerberized ssh client, and they'd have to be
> able to access the KDC before logging in to the gateway.
having a kerberized SSH client isn't a must. If the client isn't setup
to pass on credentials and you have the user class setup to use Kerberos
on your gateway, then OpenSSH should just prompt the user for the
password. Incidently, they'll be issued a ticket on the gateway.
easiest way is to set your auth_defaults in /etc/login.conf:
auth-defaults:auth=krb5-or-pwd,skey
this is assuming you want to fallback on a password in your shadow
file and then onto skey. Of course, make sure you have Kerberos set up
properly in your /etc/kerberosV/krb5.conf file.
later.
ryanc
--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
