Index: server/fedora/config/etc/issue.net.no_tkt
===================================================================
--- server/fedora/config/etc/issue.net.no_tkt	(revision 423)
+++ server/fedora/config/etc/issue.net.no_tkt	(revision 423)
@@ -0,0 +1,5 @@
+You must log in to the scripts service using Kerberos tickets, but
+your ssh client did not pass a valid ticket to the scripts server.
+
+See http://scripts.mit.edu/faq/41
+
Index: server/fedora/config/etc/issue.net.no_user
===================================================================
--- server/fedora/config/etc/issue.net.no_user	(revision 423)
+++ server/fedora/config/etc/issue.net.no_user	(revision 423)
@@ -0,0 +1,3 @@
+You do not appear to be signed up for the scripts.mit.edu service.
+
+You may sign up at http://scripts.mit.edu/
Index: server/fedora/config/etc/pam.d/sshd
===================================================================
--- server/fedora/config/etc/pam.d/sshd	(revision 423)
+++ server/fedora/config/etc/pam.d/sshd	(revision 423)
@@ -0,0 +1,25 @@
+#%PAM-1.0
+# Authentication modules
+
+# If they're not root, but their user exists (success),
+auth	[success=ignore ignore=ignore default=1]	pam_succeed_if.so uid > 0
+# print the "You don't have tickets" error:
+auth	[success=die ignore=reset default=die]	pam_echo.so file=/etc/issue.net.no_tkt
+# If !(they are root),
+auth	[success=1 ignore=ignore default=ignore]	pam_succeed_if.so uid eq 0
+# print the "your account doesn't exist" error:
+auth	[success=die ignore=reset default=die]	pam_echo.so file=/etc/issue.net.no_user
+
+# Set environment variables:
+auth       required     pam_env.so
+# Use Unix authentication and succeed immediately (sufficient):
+auth       sufficient   pam_unix.so try_first_pass
+# If they somehow slipped through, deny:
+auth	   required	pam_deny.so
+
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    required     pam_loginuid.so
Index: server/fedora/config/etc/ssh/sshd_config
===================================================================
--- server/fedora/config/etc/ssh/sshd_config	(revision 422)
+++ server/fedora/config/etc/ssh/sshd_config	(revision 423)
@@ -1,6 +1,6 @@
 Protocol 2
 SyslogFacility AUTHPRIV
-PasswordAuthentication yes
-ChallengeResponseAuthentication no
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes