Hi

I have a little question and I hope you can help me ...

What Ive got working:
mit-krb5 with pam_krb5 works fine (so I get the tgt at login time)
I can login through pam_krb5 OR pam_unix and I get a tgt if it is pam_krb5 that succeeds
ketabs are setup properly .. I tested it with mit's sserver and sclient.
I added host principals too (for working with OpenSSH)
so far so good..

the goal:
The connect to other hosts via OpenSSH should
a) be passwordless if I have already a tgt and it should forward the tgt
b) ask for the kerberos passwd if I havent yet a tgt
c) ask for a password for normal unix accounts if user principal doesnt exist in kdc
d) use my PAM configuration

I already achieved b) c) and d)
the only thing to do was to set
UsePAM yes
in /etc/ssh/sshd_config
and a somewhat tricky PAM configuration

the problem: a)
passwordless logins dont work , neither forwarding tgt's..
I tried to set
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCreds yes
in /etc/ssh/sshd_config
but that didnt help..

BTW when uncommenting UsePAM yes
it didnt work either .. but the tgt forwarding seems to work ...
that was only a simple test since I can forget point d) of my requirements

Any hints ?

You may want to check with the following items:

1. how OpenSSH is compiled with PAM?
ldd /usr/sbin/sshd
Are there any pam modules there?

2. Do you have the correct sshd_config settings?