Authenticating via Kerberos in SSH on Solaris 9

Douglas E. Engert deengert at anl.gov
Wed Jan 5 11:01:42 EST 2005 


Tyson Oswald wrote:

> That seems to fix the issue of locking the account but it still dumps 
> that message in the log.  I will try and use use_first_pass and see if 
> that makes a difference.  Adding the pam_getauth_ok seemed to fix the 
> lockout problem.  It's slow going since everything has to be approved 
> before we can make changes to our AD since we are part of a huge forrest.

You say it works with login but not sshd?  That would indicate that the
Solaris Kerberos libs and pam_krb5 can handle the tickets, and the decrypt
message indicates that the password could not be turned into a key as expected.

You could also write a simple PAM debug exit of your own, and have it
log the user and password as seen by PAM. Then include this before and after
the pam_krb5. It could be the Solaris sshd is not passing the password
correctly to PAM.

Ethereal might also help to see what packets the are being sent.


> 
> thanks for the help.
> 
> Tyson
> On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:
> 
>>
>>
>> Tyson Oswald wrote:
>>
>>> Greetings All,
>>>  I have been making good progress in getting Kerberos to work on 
>>> Solaris 9 and Windows AD.  I have it working very well from the 
>>> console.  Problems arise when I use SSH.  I have my pam.conf 
>>> configured as follows for SSH which is identical to login
>>>  sshd   auth sufficient           pam_unix_auth.so.1
>>> sshd   auth required           pam_krb5.so.1 try_first_pass debug
>>
>>
>>> When I connect to SSH it does an initial call to the DC before I even 
>>> enter my password, like so
>>
>>
>> So do you also have the sshd auth requisite pam_authok_get.so.1
>> before these? It should prompt for the initial password. It might
>> be that the try_first_pass is trying the null string passed by sshd
>> to pam, thus the first decrypt failure message.
>>
>> We are using something like this, but not using the Solaris pam_krb5:
>>
>> # sshd - keyboard interactive uses all PAM exists, but
>> #         privsep gets in the way. So use force.
>> #         PAM session is called when GSSAPI delegation or
>> #                Kerberos password used, so get AFS token in all three 
>> cases.
>> #                We want a session type cache, so with ANL PAM
>> #         pass in ccache=
>> #         We need ccache= on HP as it does not have pam_putenv
>> #         RedHat PAM uses session cache already
>> #
>> sshd    auth requisite      pam_authtok_get.so.1
>> sshd    auth required       pam_dhkeys.so.1
>> sshd    auth sufficient        /krb5/lib/pam_krb5.so.1 use_first_pass 
>> forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
>> sshd    auth required       pam_unix_auth.so.1
>> #
>> sshd    session required    pam_unix_session.so.1
>> sshd    session required    /krb5/lib/pam_afs2.so.1
>> #
>>
>>
>> If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
>> working with the Solaris 9 dtlogin, dtsession, xlock, xscreensaver.
>> The KDC is Windows 2003 AD.
>>
>>
>>>  Jan  4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] 
>>> PAM-KRB5 (auth): pam_sm_authenticate flags=1
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth: start: user='cbrown'
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: 
>>> Decrypt integrity check failed
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 
>>> (auth): clearing initcreds in pam_authenticate()
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth returning 9
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug] PAM-KRB5 
>>> (auth): prompting for password
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth: start: user='cbrown'
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: 
>>> Decrypt integrity check failed
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] PAM-KRB5 
>>> (auth): clearing initcreds in pam_authenticate()
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] PAM-KRB5 
>>> (auth): attempt_krb5_auth returning 9
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug] PAM-KRB5 
>>> (auth): pam_sm_auth finalize ccname env, result =9, env 
>>> ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug] PAM-KRB5 
>>> (auth): end: Authentication failed
>>>  The problem here is it will evantually lock out our domain account.  
>>> I am pretty sure this is not a Kerberos issue but was wondering if 
>>> anyone else ran into this issue.  I am using Solaris 9 and the SSH 
>>> that came with it so  Sun_SSH_1.0.1.
>>>  thanks much,
>>> Tyson Oswald
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> -- 
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list