login about faq

Hi, We presently use MIT Kerberos KDC and LDAP for authentication. We are looking to migrate to AD KDC.

After updating a host to use AD KDC non local users can no longer log in the error message states wrong password.

Please help me configure Tectia SSH to use AD instead of MIT Kerberos.

Thankyou

asked Jul 20 '17 at 22:26

shancz's gravatar image

shancz
1111


After you've setup the host to use AD KDC, ensure Tectia Server is able to use the Pluggable Authentication Modules (PAM) for authentication. With default configuration Tectia Server will automatically load available PAM libraries but the service name ssh-server-g3 might not match appropriate PAM configuration.

Try first copying the sshd service PAM configuration for ssh-server-g3 service if that solves the issue

[root@centos7 ~]# cp -p /etc/pam.d/sshd /etc/pam.d/ssh-server-g3

and attempt login with keyboard-interactive (challenge response) authentication

sshg3 --aa=keyboard-interactive --user=username@example.com domainhost
PAM Authentication
Password:

Once PAM password works, change your Tectia Server configuration in /etc/ssh2/ssh-server-config.xml so that it doesn't offer anymore legacy password or password as submethod in keyboard-interactive authentication but only PAM as submethod for the domain users to avoid user confusion and unnecessary password login failures.

You can also change in the ssh-server-config.xml configuration the PAM service name used from ssh-server-g3 for example to sshd, define path for PAM libraries if not found automatically. For more information please see Tectia Server Administrator's Manual section "Pluggable Authentication Module (PAM) Submethod" and /etc/ssh2/ssh-server-config-example.xml and /etc/ssh2/ssh-server-config-tutorial.xml files.

link

answered Jan 23 at 13:08

SSH%20KB's gravatar image

SSH KB ♦
509253251241

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×4

Asked: Jul 20 '17 at 22:26

Seen: 3,625 times

Last updated: Jan 23 at 13:08

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.