Kerberos MIT SSH Solaris 9

Andrea acirulli at gmail.com
Thu Feb 7 11:42:11 EST 2008 

Hi all,

I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT
Kerberos,

I have the following setting:

1. Sun Solaris 5.9

2. MIT Kerberos KDC 1.6.3  ( I use just the kdc from the MIT Kerberos)

3. On Kerberos client side I used the one from Solaris from the
following packet: SUNWkrbu

4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

This is my pam.conf:
# PAM configuration
#
# Customized to try pam_unix, then pam_krb5
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication
#
# passwd command (explicit because of a different authentication
module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for
authentication
#   management
#
other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_krb5.so.1 use_first_pass debug
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
# See notes about pam_krb5 in "other" section below
cron    account optional        pam_krb5.so.1 debug
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password
expiration.
# I'm not sure this does anything since I've flagged it as optional.
# I'm not sure if I can make it required because of root.
other   account optional        pam_krb5.so.1 debug
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session optional        pam_krb5.so.1 debug
other   session required        pam_unix_session.so.1
#
# Password
#
# (Don't list pam_krb5 here, this section is only for root.  Regular
# users must use the centralized department password changing
mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#

I can ssh into the machine using the password from kerberos, when I
let in I have the two tickets (TGT and TGS), but if I try to ssh on
the same machine I have to retype the password, hence single sign on
seems not working.

Anyone can suggest me where am i wrong???
Is the pam.conf correct?
Does native Solaris ssh supports well gssapi delegation credentials??

My goal is to obtain single sign on with as much as possible native
solaris tool, with just an exception use MIT KERBEROS KDC SERVER!

Thanks in advance!

More information about the Kerberos mailing list