On Mon, 2007-03-12 at 18:45 -0300, Gustavo Rios wrote:
> All those are disabled!
>
> The fact that it is accepting a password for a users that have no
> password in passwd file when KerberosAuthentication is setted no is
> dropping down my hairs.
>
> Somebody could help me?
read VERY closely.
1) in my experience, if you are using a Heimdal or MIT Kerberos
service, then OpenSSH use GSSAPIAuthentication and NOT
KerberosAuthentication.
2) make sure that in your login.conf that in auth-defaults: auth=passwd
and not auth=krb5-or-pwd otherwise PasswordAuthentication will try
Kerberos as well before /etc/passwd.
3) just to be absolutely sure, set all of the following to 'no' and
then set to 'yes' just the ones you know that you want to turn on...
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
KerberosOrLocalPasswd no
PubkeyAuthentication no
most likely, what you are looking for, which is the same thing I use is
PasswordAuthentication set to 'yes' and GSSAPIAuthentication set to
'yes' and all others set to 'no'. also, combine this with auth=passwd
in /etc/login.conf and you get a system where the users are
authenticated against Kerberos but denied otherwise unless the
explictely have a password set in /etc/passwd.
--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
