Openssh and Kerberos
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Mar 26 08:48:44 EST 2002
Why are you using 'acceptor' with pam_unix? That is not a supported
pam_unix option. 'acceptor' should only be used by services
that are capable of exchanging Kerberos (or GSSAPI/KRB5) credentials
natively so they dont try to perform a 2nd kerberos authentication.
It is useless for any other service. Only to be used with
ktelnet, krlogin (and I sshd if it accepts kerberos
creds over the wire).
If your daemon got the kerberos creds using GSSAPI then having the
'forwardable' flag set depends on how you created your ticket on
the client side (did you use 'kinit -f' ?). If your daemon did not
do the GSSAPI authentication and you relied on pam_krb5 (without
'acceptor' option), then the forwardable flag will be set according to
the 'kinit' options in the krb5.conf file (look in the [appdefaults]
section). Are you using the MIT krb5 gssapi code or the Solaris
gssapi code?
kpasswd core dumping? Thats a completely different issue entirely.
If you are using MIT code that you built yourself, just debug it.
If you can't debug it, on Solaris you can use the 'truss' command to
see what is happening: 'truss kpasswd'.
-wyllys
Suchun Wu wrote:
> Thanks for your response. I'm using Mit Kerberos5 (newest version)
> pam_krb5 module. I got concurrent log problem solved by using the switch
> in /etc/pam/conf as follows:
>
> sshd auth required /usr/lib/security/$ISA/pam_unix.so.1 acceptor
>
> I can now loggin as many times as I like. It creates a credential cache
> by tagging a (0). I'm not sure if it's ok or not for ticket forwarding.
>
> The problem still remains: I cannot change my password at KDC by using
> kpasswd. It got a core dumped. Any help would be appreciated.
>
> Suchun
>
> ---------------------
>
> Suchun.Wu at bmo.com wrote:
> : I just compiled SSH v3.1.0p1 with the GSSAPI and opnessh patches included
> : on a Solaris 8 box. It works
> : fine, well I get my password authenticated by the KDC on a W2K box. But I
> : have
> : remarked that my credential cache in /tmp directory is owned by the root.
> : Is it correct?
>
> Errm. No. The crendtials cache should be owned by you. I take it from your
> description that you are authenticating by password to the SSH server.
>
> Are you using PAM on Solaris? Is it possible that the Kerberos
> authentication
> is being done by the pam_krb5 module?
>
> Are you using MIT Kerberos or Heimdal? As far as I'm aware, the patches
> for 3.1p1 and MIT Kerberos won't write out any credentials cache when you
> authenticate by password. This is a bug which I'm investigating, but doesn't
> explain your problem.
>
> Cheers,
>
> Simon.
>
More information about the Kerberos
mailing list