In password authentication mode, the SSH server checks the password against Kerberos before checking it against the SYSUAF. If the Kerberos password check passes, the SSH server considers the SSH password authentication successful and the user is allowed in. If not, the password authentication continues on with the SYSUAF check.

When the Kerberos password check succeeds, the SSH server provides to the user process on the server system a forwardable TGT so that the user need not issue a kinit once logged in. Essentially the SSH server has performed a kinit -f command on behalf of the user.

By default, Kerberos password authentication is not enabled. To enable Kerberos password check in password authentication mode, set the TryKerberosPassword configuration parameter in the SSH server configuration file to yes.

The TryKerberosPassword configuration parameter tells the SSH server in password authentication mode to validate the user's password against Kerberos before validating against the SYSUAF. A yes value tells the SSH server to validate the user's password against Kerberos. A no value tells the SSH server not to check Kerberos. The TryKerberosPassword configuration field defaults to no.

To use Kerberos password authentication, you must have SYS$SHARE:KRB$RTL32.EXE installed, as described in Installing Kerberos RTL Images.