topic Re: ssh pam kerberos: key-based authentication in Operating System - HP-UX

ssh pam kerberos: key-based authentication

TEC-HP — Tue, 11 Oct 2005 01:56:22 GMT

We are looking to have a transparrent migration to kerberos authentication
Note: complete migration to LDAP is not possible at this moment

description of the current situation:
The KDC is a windows server
Users are still created on unix but will be dissabled on unix
users can still authenticate through kerberos when using ssh (pam.conf)
kerberos authentication for root is dissabled (pam_user.conf)

problem: when a user uses key-based authentication he still gets authenticated even if he is disabled in kerberos
Is there a way to block ssh-key-based authentication if the user is disabled?

Re: ssh pam kerberos: key-based authentication

RAC_1 — Tue, 11 Oct 2005 02:06:31 GMT

Check sshd_config. you can set preferred authentication method.

Re: ssh pam kerberos: key-based authentication

Muthukumar_5 — Tue, 11 Oct 2005 02:08:31 GMT

PubkeyAuthentication in sshd_config file to no. Restart sshd and your requirement will work.

hth.

Re: ssh pam kerberos: key-based authentication

TEC-HP — Tue, 11 Oct 2005 02:12:52 GMT

key based authentication should still work for batch users: unless the batch user has expired and has been dissabled in the KDC.

So: I'm looking fo a way to intoregate the kerbeos server to check if a user is dissabled

Re: ssh pam kerberos: key-based authentication

Brian Miller_9 — Tue, 18 Oct 2005 10:53:35 GMT

You probably need to start tweaking your pam.conf file, so that kerberos authentication is required. By default, that file only makes kerberos "sufficient", so a failure does not prevent a user from authenticating.

Of course, then you have to work out how to let root login, without kerberos.

I've never worked with kerberos, so can't give you specific steps. But that seems to me the direction you want to look in.