Authenticating via Kerberos in SSH on Solaris 9

oswaldt@ameritech.net oswaldt at ameritech.net
Mon Jan 10 09:49:45 EST 2005


I'm still getting the error "krb5_verify_init_creds failed: Decrypt
integrity check failed"  What does this mean?  Does this mean the
encryption type is bad?  We had this working at one point and
regernated out host key and now we are getting his strange error.

thanks,

Tyson
"Douglas E. Engert" wrote:
> Tyson Oswald wrote:
>
> > That seems to fix the issue of locking the account but it still
dumps
> > that message in the log.  I will try and use use_first_pass and see
if
> > that makes a difference.  Adding the pam_getauth_ok seemed to fix
the
> > lockout problem.  It's slow going since everything has to be
approved
> > before we can make changes to our AD since we are part of a huge
forrest.
>
> You say it works with login but not sshd?  That would indicate that
the
> Solaris Kerberos libs and pam_krb5 can handle the tickets, and the
decrypt
> message indicates that the password could not be turned into a key as
expected.
>
> You could also write a simple PAM debug exit of your own, and have it
> log the user and password as seen by PAM. Then include this before
and after
> the pam_krb5. It could be the Solaris sshd is not passing the
password
> correctly to PAM.
>
> Ethereal might also help to see what packets the are being sent.
>
>
> >
> > thanks for the help.
> >
> > Tyson
> > On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:
> >
> >>
> >>
> >> Tyson Oswald wrote:
> >>
> >>> Greetings All,
> >>>  I have been making good progress in getting Kerberos to work on
> >>> Solaris 9 and Windows AD.  I have it working very well from the
> >>> console.  Problems arise when I use SSH.  I have my pam.conf
> >>> configured as follows for SSH which is identical to login
> >>>  sshd   auth sufficient           pam_unix_auth.so.1
> >>> sshd   auth required           pam_krb5.so.1 try_first_pass debug
> >>
> >>
> >>> When I connect to SSH it does an initial call to the DC before I
even
> >>> enter my password, like so
> >>
> >>
> >> So do you also have the sshd auth requisite pam_authok_get.so.1
> >> before these? It should prompt for the initial password. It might
> >> be that the try_first_pass is trying the null string passed by
sshd
> >> to pam, thus the first decrypt failure message.
> >>
> >> We are using something like this, but not using the Solaris
pam_krb5:
> >>
> >> # sshd - keyboard interactive uses all PAM exists, but
> >> #         privsep gets in the way. So use force.
> >> #         PAM session is called when GSSAPI delegation or
> >> #                Kerberos password used, so get AFS token in all
three
> >> cases.
> >> #                We want a session type cache, so with ANL PAM
> >> #         pass in ccache=
> >> #         We need ccache= on HP as it does not have pam_putenv
> >> #         RedHat PAM uses session cache already
> >> #
> >> sshd    auth requisite      pam_authtok_get.so.1
> >> sshd    auth required       pam_dhkeys.so.1
> >> sshd    auth sufficient        /krb5/lib/pam_krb5.so.1
use_first_pass
> >> forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
> >> sshd    auth required       pam_unix_auth.so.1
> >> #
> >> sshd    session required    pam_unix_session.so.1
> >> sshd    session required    /krb5/lib/pam_afs2.so.1
> >> #
> >>
> >>
> >> If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
> >> working with the Solaris 9 dtlogin, dtsession, xlock,
xscreensaver.
> >> The KDC is Windows 2003 AD.
> >>
> >>
> >>>  Jan  4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug]
> >>> PAM-KRB5 (auth): pam_sm_authenticate flags=1
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth: start: user='cbrown'
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
> >>> Decrypt integrity check failed
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
PAM-KRB5
> >>> (auth): clearing initcreds in pam_authenticate()
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth returning 9
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug]
PAM-KRB5
> >>> (auth): prompting for password
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth: start: user='cbrown'
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
> >>> Decrypt integrity check failed
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
PAM-KRB5
> >>> (auth): clearing initcreds in pam_authenticate()
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
PAM-KRB5
> >>> (auth): attempt_krb5_auth returning 9
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug]
PAM-KRB5
> >>> (auth): pam_sm_auth finalize ccname env, result =9, env
> >>> ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
> >>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug]
PAM-KRB5
> >>> (auth): end: Authentication failed
> >>>  The problem here is it will evantually lock out our domain
account.
> >>> I am pretty sure this is not a Kerberos issue but was wondering
if
> >>> anyone else ran into this issue.  I am using Solaris 9 and the
SSH
> >>> that came with it so  Sun_SSH_1.0.1.
> >>>  thanks much,
> >>> Tyson Oswald
> >>> ________________________________________________
> >>> Kerberos mailing list           Kerberos at mit.edu
> >>> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >>
> >> --
> >>
> >>  Douglas E. Engert  <DEEngert at anl.gov>
> >>  Argonne National Laboratory
> >>  9700 South Cass Avenue
> >>  Argonne, Illinois  60439
> >>  (630) 252-5444
> >>
> >
> >
> >
> >
>
> --
>
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list