# ask to configure kerberos

## netzerospace

i want to ask several things about kerberos system

as far as i know kerberos is a ticketing authentication system

so if u want to login u have to ask for ticket first right...

 -----

i've installed kerberos in my system and want to integrate it with openssh

i want to ask why if the ticket have expired the user that login through ssh doesn't logoff automaticly

thanks

----------

## Hypnos

http://www.cmf.nrl.navy.mil/ccs/people/kenh/kerberos-faq.html#ticketexp

You should read all the FAQs if you are kerberizing your network

----------

## netzerospace

ok 

i know when the ticket expired

user cannot login anymore

but if the user already login (with ssh) the session would not closed eventhough the ticket is already exxpired

is there any way to make the session killed when the ticket expired

like a patch or something... ??

----------

## Hypnos

I'm sure you could write a patch, but I doubt anyone else would want it.

Your users would get pissed off if they got logged out automatically just because their ticket expired, killing the processes in the shell they might be using for some important work.

Moreover, you gain little in security.  A user needs a valid ticket to log in, so if the ticket expires they were still authenticated at some point.  If you need to delete their account, they just won't be allowed to log in again; if you need them removed from your system immediately, you can just kill their sessions.

----------

## netzerospace

is it possible for openssh to use  only user that have been created on kerberos system and not read it from shadow file

May 23 09:21:27 sshserver sshd[18537]: Invalid user testusers from 192.168.112.1

May 23 09:21:27 sshserver sshd[18537]: error: Could not get shadow information for NOUSER

May 23 09:21:27 sshserver sshd[18537]: Failed none for invalid user testusers from 192.168.112.1 port 1208 ssh2

May 23 09:23:33 sshserver sshd[18513]: Received signal 15; terminating.

May 23 09:23:34 sshserver sshd[18628]: Server listening on 0.0.0.0 port 22.

----------

## Hypnos

If you read the manpage for sshd_config, you'll see that the default is to try kerberos first, then default to shadow ("KerberosOrLocalPasswd").  So, I don't know why it doesn't work for you.  Maybe you need to turn on "KerberosAuthentication" and/or "GSSAPIAuthentication".

----------

## netzerospace

did the new version of ssh (openssh-5.2p1.tar.gz) support this kind of method ('use only kinit "username" and automatic login for ssh) ?

or is there something wrong with the patch

or should i use the old portage ?

because i cant use the GSSAPIKeyExchange option

it always display an error 

```

   GSSAPIAuthentication yes

   GSSAPIDelegateCredentials yes

   GSSAPIKeyExchange yes

/usr/local/ssh/etc/sshd_config: line 77: Bad configuration option: GSSAPIDelegateCredentials

/usr/local/ssh/etc/sshd_config: line 78: Bad configuration option: GSSAPIKeyExchange

/usr/local/ssh/etc/sshd_config: terminating, 2 bad configuration options

```

---

openssh-5.0p1-gsskex-20080404.patch <-- what is this pacth are for ?

----------

## Hypnos

I don't know; you might want to search https://bugs.gentoo.org

If you figure it out, you may want to open a bug.

----------

## netzerospace

do u think i should move to the old portage ?

but i'm currently using the latest snapshot

any idea ?

----------

## Hypnos

Create a local overlay with an ebuild with the correct behavior, then open a bug which explains the problem and post your solution.

----------

