HP-UX Secure Shell and Kerberos 5

Marc syn_uw at NOSPAM_hotmail.com
Wed Sep 18 10:06:52 EDT 2002


I am currently making a HP-UX 11i authenticate itself to a Windows 2000 
KDC using HP-UX Secure Shell which is the following version (output from 

T1471AA                       A.03.10.002    HP-UX Secure Shell

Now it works very well if I am logging in from a UNIX client where I 
currently already have my ticket from the W2k KDC (by using kinit before 
doing my ssh). But if I don't have any tickets (for example using 
kdestroy before ssh) it simply won't let me log in. During this second 
attemp to login (without any ticket) I ran a tcpdump port 88 on the 
server and I didn't see any requests to the KDC. Does anyone know what 
the problem could be ??? OpenSSH should validate my password with the 
KDC in case I don't have any tickets but it doesn't do that.

If I use for telnet to login to my HP-UX server, enter my login and my 
password I can see the exchanges with the w2k KDC this works fine.

Here is my pam.conf in case:

# PAM configuration
# Authentication management
login    auth sufficient        /usr/lib/security/libpam_krb5.1
login    auth required  /usr/lib/security/libpam_unix.1 try_first_pass
#login   auth required  /usr/lib/security/libpam_unix.1 try_first_pass
su       auth required  /usr/lib/security/libpam_unix.1
dtlogin  auth required  /usr/lib/security/libpam_unix.1
dtaction auth required  /usr/lib/security/libpam_unix.1
ftp      auth required  /usr/lib/security/libpam_unix.1
OTHER    auth required  /usr/lib/security/libpam_unix.1
# Account management
login    account required       /usr/lib/security/libpam_krb5.1
login    account required       /usr/lib/security/libpam_unix.1
su       account required       /usr/lib/security/libpam_unix.1
dtlogin  account required       /usr/lib/security/libpam_unix.1
dtaction account required       /usr/lib/security/libpam_unix.1
ftp      account required       /usr/lib/security/libpam_unix.1
OTHER    account required       /usr/lib/security/libpam_unix.1
# Session management
login    session required       /usr/lib/security/libpam_krb5.1
login    session required       /usr/lib/security/libpam_unix.1
dtlogin  session required       /usr/lib/security/libpam_unix.1
dtaction session required       /usr/lib/security/libpam_unix.1
OTHER    session required       /usr/lib/security/libpam_unix.1
# Password management
login    password required      /usr/lib/security/libpam_krb5.1
login    password required      /usr/lib/security/libpam_unix.1
passwd   password required      /usr/lib/security/libpam_unix.1
dtlogin  password required      /usr/lib/security/libpam_unix.1
dtaction password required      /usr/lib/security/libpam_unix.1
OTHER    password required      /usr/lib/security/libpam_unix.1

If you need any more informations, debug output and so please let me 
know, I will be pleased to post them. Any informations are welcome.

Many thanks !


More information about the Kerberos mailing list