Solaris 10 ssh logins + w2k3 AD native mode

Barry Allard ballard at stanford.edu
Wed Mar 15 21:29:35 EST 2006 

Hi,

This might have been answered in a previous post(s)...

I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch build
docs on it.  Specifically, I'd like to get kerberos working for
authenication, and LDAP/AD groups working for authorization.  Even better
would be to minimize admin tasks by not having to touch passwd, group,
keytab for every new user, just have PAM modules do it.

kinit works great

------------------- /etc/pam.conf -------------------------

#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1


# not sure about these... Kerb only would be fine, or Unix as fallback.
sshd-kbdint    auth requisite          pam_authtok_get.so.1
sshd-kbdint    auth required           pam_dhkeys.so.1
sshd-kbdint     auth required           pam_unix_cred.so.1
sshd-kbdint   auth sufficient         pam_krb5.so.1 use_first_pass debug
sshd-kbdint    auth optional         pam_unix_auth.so.1

#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session sufficient      pam_krb5.so.1
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# --- EXAMPLES not all that helpful :-(

------------------- /etc/krb5/krb5.conf -------------------

[libdefaults]
default_realm = WIN.STANFORD.EDU
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = false

[realms]

WIN.STANFORD.EDU = {
kdc = 171.64.7.177
admin_server = 171.64.7.177:88
}

SOM.WIN.STANFORD.EDU = {
kdc = 171.64.7.171
admin_server = 171.64.7.171:88
}

[domain_realm]
win.stanford.edu = WIN.STANFORD.EDU
.win.stanford.edu = WIN.STANFORD.EDU
som.win.stanford.edu = SOM.WIN.STANFORD.EDU
.som.win.stanford.edu = SOM.WIN.STANFORD.EDU

[appdefaults]

        pam = {
                debug = true
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

        kinit = {
                renewable = true
                forwardable = true
                proxiable = false
        }

        login = {
                krb5_get_tickets = true
        }



Thanks,
Barry Allard
Stanford Med School
MedIRT

Solaris geek level: noob++
Windows geek level: domainadmin- (cant change DCs or make schema changes)
Krb geek level:     user--

More information about the Kerberos mailing list