Authenticating via Kerberos in SSH on Solaris 9

Tyson Oswald oswaldt at ameritech.net
Tue Jan 4 18:49:14 EST 2005 

That seems to fix the issue of locking the account but it still dumps 
that message in the log.  I will try and use use_first_pass and see if 
that makes a difference.  Adding the pam_getauth_ok seemed to fix the 
lockout problem.  It's slow going since everything has to be approved 
before we can make changes to our AD since we are part of a huge 
forrest.

thanks for the help.

Tyson
On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:

>
>
> Tyson Oswald wrote:
>> Greetings All,
>>  I have been making good progress in getting Kerberos to work on 
>> Solaris 9 and Windows AD.  I have it working very well from the 
>> console.  Problems arise when I use SSH.  I have my pam.conf 
>> configured as follows for SSH which is identical to login
>>  sshd   auth sufficient           pam_unix_auth.so.1
>> sshd   auth required           pam_krb5.so.1 try_first_pass debug
>
>> When I connect to SSH it does an initial call to the DC before I even 
>> enter my password, like so
>
> So do you also have the sshd auth requisite pam_authok_get.so.1
> before these? It should prompt for the initial password. It might
> be that the try_first_pass is trying the null string passed by sshd
> to pam, thus the first decrypt failure message.
>
> We are using something like this, but not using the Solaris pam_krb5:
>
> # sshd - keyboard interactive uses all PAM exists, but
> #		 privsep gets in the way. So use force.
> #		 PAM session is called when GSSAPI delegation or
> #                Kerberos password used, so get AFS token in all three 
> cases.
> #                We want a session type cache, so with ANL PAM
> #		 pass in ccache=
> #		 We need ccache= on HP as it does not have pam_putenv
> #		 RedHat PAM uses session cache already
> #
> sshd	auth requisite      pam_authtok_get.so.1
> sshd	auth required       pam_dhkeys.so.1
> sshd	auth sufficient	    /krb5/lib/pam_krb5.so.1 use_first_pass 
> forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
> sshd    auth required       pam_unix_auth.so.1
> #
> sshd    session required    pam_unix_session.so.1
> sshd    session required    /krb5/lib/pam_afs2.so.1
> #
>
>
> If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
> working with the Solaris 9 dtlogin, dtsession, xlock, xscreensaver.
> The KDC is Windows 2003 AD.
>
>
>>  Jan  4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] 
>> PAM-KRB5 (auth): pam_sm_authenticate flags=1
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth: start: user='cbrown'
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: 
>> Decrypt integrity check failed
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 
>> (auth): clearing initcreds in pam_authenticate()
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth returning 9
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug] PAM-KRB5 
>> (auth): prompting for password
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth: start: user='cbrown'
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: 
>> Decrypt integrity check failed
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 
>> (auth): clearing initcreds in pam_authenticate()
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 
>> (auth): attempt_krb5_auth returning 9
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug] PAM-KRB5 
>> (auth): pam_sm_auth finalize ccname env, result =9, env 
>> ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug] PAM-KRB5 
>> (auth): end: Authentication failed
>>  The problem here is it will evantually lock out our domain account.  
>> I am pretty sure this is not a Kerberos issue but was wondering if 
>> anyone else ran into this issue.  I am using Solaris 9 and the SSH 
>> that came with it so  Sun_SSH_1.0.1.
>>  thanks much,
>> Tyson Oswald
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>

More information about the Kerberos mailing list