So, can we use the distributed autentication to sign on from the client machine to the kerberos server using the principal "joe" and the ticket we got? Let's try:
ssh firstname.lastname@example.org Password: Password: Password: Permission denied (publickey,keyboard-interactive).
What's wrong? Let's have a look at the /var/log/messages on the kerberos server:
Jul 21 16:31:27 kerberos sshd: error: PAM: User not known to the underlying authentication module for illegal user joe from clientmachine.redflo.de Jul 21 16:31:27 kerberos sshd: Failed keyboard-interactive/pam for invalid user joe from x.x.x.x port 35808 ssh2
What does this mean? Simple: The unix system does not know anything about joe. Later we want to use ldap to make unix know all about joe, but for now we use the classic unix methods. On the kerberos server, edit /etc/passwd:
make a home directory:
chown joe:100 /home/joe
(or add a user another way). The *K* in /etc/shadow denotes that we want to get the password from the kerberos server.
Let's try again to ssh from the client machine. What happens? You don't get in? Why? Always check the logfiles!
Jul 21 16:41:54 kerberos sshd: error: PAM: Authentication failure for joe from clientmachine.redflo.de
So we still cannot authenticate. Do we need to tweak pam?