problem setting up ssh-krb5 from Debian Sarge

dkuhl dkuhl at paritysys.net
Thu Oct 28 17:23:50 EDT 2004


	I don't know of anything that you have to do for PAM on the remote 
machine.  Just make sure that both the remote machine and the local 
machine are running the kerberized ssh package (ssh-krb5).  The remote 
machine also needs a keytab with a the host service for that machine (so 
if the machine you're connecting to is named "rizzo" then the keytab on 
rizzo would have to have an entry like "host/rizzo.domain at REALM" - 
substituting your domain and realm of course).

	My /etc/ssh/sshd_config file has the following in it:
----------------------------------
[other non kerberos stuff]

# To change Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
KerberosTicketCleanup yes

# Kerberos TGT Passing does only work with the AFS kaserver or krb5
KerberosTgtPassing yes

#GSSAPI authentication
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes

[more non-kerberos stuff]
----------------------------

	To get PAM set up so that you automatically get a ticket any time you 
log in to the local machine you need to do this (debian oriented 
instructions):

1. apt-get install libpam-krb5

2. You will need to have the host service listed in the local keytab
of your machine.  To check for this run the following command as root:
       "k5srvutil list".  If you see two entries that start with
"host/" go to the next step, otherwise you will need to add them with 
kadmin. See below.

3. /etc/login/defs
     modify the line that says "CLOSE_SESSIONS no"
     to "CLOSE_SESSIONS yes"

4. /etc/pam.d/common-auth
     (here is what mine looks like - after intro comments)
   #auth      required     pam_unix.so nullok_secure
   auth       sufficient   pam_krb5.so
   auth       sufficient   pam_unix.so nullok try_first_pass
   auth       required     pam_deny.so

         That's all, unless you still need to setup your local keytab
(step 2), in which case read the below.  So far this has been working 
for either a plain console login, login via xdm, or login via gdm.


KADMIN - add the host service to the list of principals then add the
proper key to your keytab.

1. From your machine run the following as root:
      kadmin -p admin/admin

2. Check for your machine's host service principal:
     kadmin: listprincs

3. If your machine's host service is not listed add it with:
     kadmin: addprinc -randkey host/[machinename].yourdomain
	(you don't have to do randkey but I like it)

4. Once the host service principal exists add it to your keytab:
      kadmin: ktadd -k /etc/krb5.keytab  host/[machinename].yourdomain

5. Exit kadmin:  quit.


D.

David Kuhl
Parity Systems
dkuhl at paritysys.com
-----------------------



Wes Chow wrote:
>>	Yeah, it looks like the user account "wchow" doesn't exist on the 
>>remote machine, which seems odd since you said that the telnet works. 
>>But the line in your output:
>>
>>debug1: Starting up PAM with username "wchow"
>>Failed none for wchow from 192.168.0.13 port 32804 ssh2
>>
>>	... shows that PAM is failing this user log in.
>>
>>D.
>>
>>
>>Sam Hartman wrote:
>>
>>>Your pam account stack is claiming that you are not authorized to log
>>>in.
> 
> 
> Do I have to do anything special to my PAM stack?  I haven't touched
> it at all.
> 
> On a possibly related note, I'm having problems getting PAM
> authentication to work with console logins.  I've added the line "auth
> sufficient pam_krb5.so forwardable" to /etc/pam.d/common-auth and
> "session optional pam_krb5.so" to /etc/pam.d/common-session.  It's
> complaining with the error "Authentication service cannot retrieve
> authentication info."  Googling on that, ironically, comes up with
> my previous email about not being able to get ssh-krb5 to work.
> 
> Thanks,
> Wes
>  


More information about the Kerberos mailing list