Authenticating via Kerberos in SSH on Solaris 9

Tyson Oswald oswaldt at ameritech.net
Tue Jan 4 10:08:59 EST 2005 

Greetings All,
 
I have been making good progress in getting Kerberos to work on Solaris 9 and Windows AD.  I have it working very well from the console.  Problems arise when I use SSH.  I have my pam.conf configured as follows for SSH which is identical to login
 
sshd   auth sufficient           pam_unix_auth.so.1
sshd   auth required           pam_krb5.so.1 try_first_pass debug

When I connect to SSH it does an initial call to the DC before I even enter my password, like so
 
Jan  4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='cbrown'
Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed
Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 9
Jan  4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug] PAM-KRB5 (auth): prompting for password
Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='cbrown'
Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed
Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 9
Jan  4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =9, env ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
Jan  4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug] PAM-KRB5 (auth): end: Authentication failed

 
The problem here is it will evantually lock out our domain account.  I am pretty sure this is not a Kerberos issue but was wondering if anyone else ran into this issue.  I am using Solaris 9 and the SSH that came with it so  Sun_SSH_1.0.1.
 
thanks much,
Tyson Oswald

More information about the Kerberos mailing list