Authenticating via Kerberos in SSH on Solaris 9
Douglas E. Engert
deengert at anl.gov
Tue Jan 4 14:16:10 EST 2005
Tyson Oswald wrote:
> Greetings All,
>
> I have been making good progress in getting Kerberos to work on Solaris 9 and Windows AD. I have it working very well from the console. Problems arise when I use SSH. I have my pam.conf configured as follows for SSH which is identical to login
>
> sshd auth sufficient pam_unix_auth.so.1
> sshd auth required pam_krb5.so.1 try_first_pass debug
>
> When I connect to SSH it does an initial call to the DC before I even enter my password, like so
So do you also have the sshd auth requisite pam_authok_get.so.1
before these? It should prompt for the initial password. It might
be that the try_first_pass is trying the null string passed by sshd
to pam, thus the first decrypt failure message.
We are using something like this, but not using the Solaris pam_krb5:
# sshd - keyboard interactive uses all PAM exists, but
# privsep gets in the way. So use force.
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache=
# We need ccache= on HP as it does not have pam_putenv
# RedHat PAM uses session cache already
#
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient /krb5/lib/pam_krb5.so.1 use_first_pass forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
sshd auth required pam_unix_auth.so.1
#
sshd session required pam_unix_session.so.1
sshd session required /krb5/lib/pam_afs2.so.1
#
If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
working with the Solaris 9 dtlogin, dtsession, xlock, xscreensaver.
The KDC is Windows 2003 AD.
>
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='cbrown'
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 9
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug] PAM-KRB5 (auth): prompting for password
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='cbrown'
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 9
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =9, env ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
> Jan 4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug] PAM-KRB5 (auth): end: Authentication failed
>
>
> The problem here is it will evantually lock out our domain account. I am pretty sure this is not a Kerberos issue but was wondering if anyone else ran into this issue. I am using Solaris 9 and the SSH that came with it so Sun_SSH_1.0.1.
>
> thanks much,
> Tyson Oswald
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list