Openssh and Kerberos

Suchun.Wu@bmo.com Suchun.Wu at bmo.com
Thu Mar 28 14:35:05 EST 2002 

Hi Folks,

We should not put the "acceptor" option for sshd authentication.!! It will
bypass any authentication for any
account. That means that you don't need to use password. It accepts
anything!!

So my problem remains unchanged. I hope there is a fix soon.

Suchun

------------------------
Message-ID: <000801c1d469$ba4bd0f0$0b5810ac at suchun.home.com>
Reply-To: "Suchun Wu" <suchun18 at rogers.com>
From: "Suchun Wu" <suchun18 at rogers.com>
To: <kerberos at mit.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative;
           boundary="----=_NextPart_000_0005_01C1D43F.CED3F4F0"
Errors-To: kerberos-admin at mit.edu
Date: Mon, 25 Mar 2002 20:58:25 -0500

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C1D43F.CED3F4F0
Content-Type: text/plain;
           charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Thanks for your response. I'm using Mit Kerberos5 (newest version) =
pam_krb5 module. I got concurrent log problem solved by using the switch =
in /etc/pam/conf as follows:
sshd auth required /usr/lib/security/$ISA/pam_unix.so.1    acceptor

I can now loggin as many times as I like. It creates a credential cache =
by tagging a (0). I'm not sure if it's ok or not for ticket forwarding.

The problem still remains: I cannot change my password at KDC by using =
kpasswd. It got a core dumped. Any help would be appreciated.

Suchun

---------------------
Suchun.Wu at bmo.com wrote:
: I just compiled SSH v3.1.0p1 with the GSSAPI and opnessh patches =
included
: on a Solaris 8 box. It works
: fine, well I get my password authenticated by the KDC on a W2K box. =
But I
: have
: remarked that my credential cache in /tmp directory is owned by the =
root.
: Is it correct?

Errm. No. The crendtials cache should be owned by you. I take it from =
your
description that you are authenticating by password to the SSH server.

Are you using PAM on Solaris? Is it possible that the Kerberos =
authentication
is being done by the pam_krb5 module?

Are you using MIT Kerberos or Heimdal? As far as I'm aware, the patches
for 3.1p1 and MIT Kerberos won't write out any credentials cache when =
you
authenticate by password. This is a bug which I'm investigating, but =
doesn't
explain your problem.

Cheers,

Simon.


------=_NextPart_000_0005_01C1D43F.CED3F4F0
Content-Type: text/html;
           charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial>Thanks for your response. I'm using Mit=20
Kerberos5&nbsp;(newest version) pam_krb5 module. I got concurrent log =
problem=20
solved </FONT><FONT face=3DArial>by using the switch in =
/etc/pam/conf&nbsp;as=20
follows:</FONT></DIV>
<DIV><FONT face=3DArial><FONT face=3D"Times New Roman" size=3D2>
<P align=3Dleft>sshd&nbsp;auth required =
/usr/lib/security/$ISA/pam</FONT><FONT=20
face=3DSymbol size=3D2>_</FONT><FONT face=3D"Times New Roman"=20
size=3D2>unix.so.1&nbsp;&nbsp;&nbsp; acceptor</FONT></P>
<P align=3Dleft><FONT face=3D"Times New Roman" size=3D2>I can now loggin =
as many times=20
as I like. It creates a credential cache by tagging a (0). I'm not sure =
if it's=20
ok or not for ticket forwarding.</FONT></P>
<P align=3Dleft><FONT face=3D"Times New Roman" size=3D2>The problem =
still remains: I=20
cannot change my password at KDC by using kpasswd. It got a core dumped. =
Any=20
help would be appreciated.</FONT></P>
<P align=3Dleft><FONT face=3D"Times New Roman" size=3D2><FONT=20
face=3DArial>Suchun</FONT></P></FONT></FONT></DIV>
<DIV><FONT face=3DArial>---------------------</FONT></DIV>
<DIV><FONT face=3DArial>Suchun.Wu at bmo.com wrote:<BR>: I just compiled =
SSH v3.1.0p1=20
with the GSSAPI and opnessh patches included<BR>: on a Solaris 8 box. It =

works<BR>: fine, well I get my password authenticated by the KDC on a =
W2K box.=20
But I<BR>: have<BR>: remarked that my credential cache in /tmp directory =
is=20
owned by the root.<BR>: Is it correct?<BR><BR>Errm. No. The crendtials =
cache=20
should be owned by you. I take it from your<BR>description that you are=20
authenticating by password to the SSH server.<BR><BR>Are you using PAM =
on=20
Solaris? Is it possible that the Kerberos authentication<BR>is being =
done by the=20
pam_krb5 module?<BR><BR>Are you using MIT Kerberos or Heimdal? As far as =
I'm=20
aware, the patches<BR>for 3.1p1 and MIT Kerberos won't write out any =
credentials=20
cache when you<BR>authenticate by password. This is a bug which I'm=20
investigating, but doesn't<BR>explain your=20
problem.<BR><BR>Cheers,<BR><BR>Simon.<BR></DIV></FONT></BODY></HTML>

------=_NextPart_000_0005_01C1D43F.CED3F4F0--

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list