login about faq

Hi, We presently use MIT Kerberos KDC and LDAP for authentication. We are looking to migrate to AD KDC.

After updating a host to use AD KDC non local users can no longer log in the error message states wrong password.

Please help me configure Tectia SSH to use AD instead of MIT Kerberos.


asked Jul 20 '17 at 22:26

shancz's gravatar image


After you've setup the host to use AD KDC, ensure Tectia Server is able to use the Pluggable Authentication Modules (PAM) for authentication. With default configuration Tectia Server will automatically load available PAM libraries but the service name ssh-server-g3 might not match appropriate PAM configuration.

Try first copying the sshd service PAM configuration for ssh-server-g3 service if that solves the issue

[root@centos7 ~]# cp -p /etc/pam.d/sshd /etc/pam.d/ssh-server-g3

and attempt login with keyboard-interactive (challenge response) authentication

sshg3 --aa=keyboard-interactive --user=username@example.com domainhost
PAM Authentication

Once PAM password works, change your Tectia Server configuration in /etc/ssh2/ssh-server-config.xml so that it doesn't offer anymore legacy password or password as submethod in keyboard-interactive authentication but only PAM as submethod for the domain users to avoid user confusion and unnecessary password login failures.

You can also change in the ssh-server-config.xml configuration the PAM service name used from ssh-server-g3 for example to sshd, define path for PAM libraries if not found automatically. For more information please see Tectia Server Administrator's Manual section "Pluggable Authentication Module (PAM) Submethod" and /etc/ssh2/ssh-server-config-example.xml and /etc/ssh2/ssh-server-config-tutorial.xml files.


answered Jan 23 '19 at 13:08

SSH%20KB's gravatar image


Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jul 20 '17 at 22:26

Seen: 4,118 times

Last updated: Jan 23 '19 at 13:08

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.