passwordless OpenSSH with MIT-Kerberos and PAM
I have a little question and I hope you can help me ...
What Ive got working:
mit-krb5 with pam_krb5 works fine (so I get the tgt at login time)
I can login through pam_krb5 OR pam_unix and I get a tgt if it is pam_krb5 that succeeds
ketabs are setup properly .. I tested it with mit's sserver and sclient.
I added host principals too (for working with OpenSSH)
so far so good..
The connect to other hosts via OpenSSH should
a) be passwordless if I have already a tgt and it should forward the tgt
b) ask for the kerberos passwd if I havent yet a tgt
c) ask for a password for normal unix accounts if user principal doesnt exist in kdc
d) use my PAM configuration
I already achieved b) c) and d)
the only thing to do was to set
and a somewhat tricky PAM configuration
the problem: a)
passwordless logins dont work , neither forwarding tgt's..
I tried to set
but that didnt help..
BTW when uncommenting UsePAM yes
it didnt work either .. but the tgt forwarding seems to work ...
that was only a simple test since I can forget point d) of my requirements
Any hints ?