In password authentication mode, the SSH server checks the password
against Kerberos before checking it against the SYSUAF. If the Kerberos password
check passes, the SSH server considers the SSH password authentication successful
and the user is allowed in. If not, the password authentication continues
on with the SYSUAF check.
When the Kerberos password check succeeds, the SSH server provides to
the user process on the server system a forwardable TGT so that the user need
not issue a kinit once logged in. Essentially the SSH server has performed
a kinit -f command on behalf of the user.
By default, Kerberos password authentication is not enabled. To enable
Kerberos password check in password authentication mode, set the TryKerberosPassword configuration
parameter in the SSH server configuration file to yes.
The TryKerberosPassword configuration parameter tells
the SSH server in password authentication mode to validate the user's password
against Kerberos before validating against the SYSUAF. A yes value
tells the SSH server to validate the user's password against Kerberos. A no value
tells the SSH server not to check Kerberos. The TryKerberosPassword configuration
field defaults to no.
To use Kerberos password authentication, you must have SYS$SHARE:KRB$RTL32.EXE
installed, as described in Installing
Kerberos RTL Images.