Authenticating via Kerberos in SSH on Solaris 9

Douglas E. Engert deengert at anl.gov
Mon Jan 10 12:20:20 EST 2005



oswaldt at ameritech.net wrote:

> I'm still getting the error "krb5_verify_init_creds failed: Decrypt
> integrity check failed"  What does this mean?  Does this mean the
> encryption type is bad?  We had this working at one point and
> regernated out host key and now we are getting his strange error.
>

Its from KRB5KRB_AP_ERR_BAD_INTEGRITY and generated in a copule
of places. After a decrypt operation the message checksum is computed
and compared to the checksum in the message. If they don't agree  it
usually means the key used to encrypt does not match the key used to
decrypt. (It could also be the message was modified, or a programing
error with the way the checksum is generated or the key derived.)

So if you regenerated your hosts keys, it is most likely
they did not get updated correctly. If you have the output file
from the ktpass, you can dump it in hex as well as dump
the krb5.keytab and see if the same keys are in both.



> thanks,
> 
> Tyson
> "Douglas E. Engert" wrote:
> 
>>Tyson Oswald wrote:
>>
>>
>>>That seems to fix the issue of locking the account but it still
> 
> dumps
> 
>>>that message in the log.  I will try and use use_first_pass and see
> 
> if
> 
>>>that makes a difference.  Adding the pam_getauth_ok seemed to fix
> 
> the
> 
>>>lockout problem.  It's slow going since everything has to be
> 
> approved
> 
>>>before we can make changes to our AD since we are part of a huge
> 
> forrest.
> 
>>You say it works with login but not sshd?  That would indicate that
> 
> the
> 
>>Solaris Kerberos libs and pam_krb5 can handle the tickets, and the
> 
> decrypt
> 
>>message indicates that the password could not be turned into a key as
> 
> expected.
> 
>>You could also write a simple PAM debug exit of your own, and have it
>>log the user and password as seen by PAM. Then include this before
> 
> and after
> 
>>the pam_krb5. It could be the Solaris sshd is not passing the
> 
> password
> 
>>correctly to PAM.
>>
>>Ethereal might also help to see what packets the are being sent.
>>
>>
>>
>>>thanks for the help.
>>>
>>>Tyson
>>>On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:
>>>
>>>
>>>>
>>>>Tyson Oswald wrote:
>>>>
>>>>
>>>>>Greetings All,
>>>>> I have been making good progress in getting Kerberos to work on
>>>>>Solaris 9 and Windows AD.  I have it working very well from the
>>>>>console.  Problems arise when I use SSH.  I have my pam.conf
>>>>>configured as follows for SSH which is identical to login
>>>>> sshd   auth sufficient           pam_unix_auth.so.1
>>>>>sshd   auth required           pam_krb5.so.1 try_first_pass debug
>>>>
>>>>
>>>>>When I connect to SSH it does an initial call to the DC before I
> 
> even
> 
>>>>>enter my password, like so
>>>>
>>>>
>>>>So do you also have the sshd auth requisite pam_authok_get.so.1
>>>>before these? It should prompt for the initial password. It might
>>>>be that the try_first_pass is trying the null string passed by
> 
> sshd
> 
>>>>to pam, thus the first decrypt failure message.
>>>>
>>>>We are using something like this, but not using the Solaris
> 
> pam_krb5:
> 
>>>># sshd - keyboard interactive uses all PAM exists, but
>>>>#         privsep gets in the way. So use force.
>>>>#         PAM session is called when GSSAPI delegation or
>>>>#                Kerberos password used, so get AFS token in all
> 
> three
> 
>>>>cases.
>>>>#                We want a session type cache, so with ANL PAM
>>>>#         pass in ccache=
>>>>#         We need ccache= on HP as it does not have pam_putenv
>>>>#         RedHat PAM uses session cache already
>>>>#
>>>>sshd    auth requisite      pam_authtok_get.so.1
>>>>sshd    auth required       pam_dhkeys.so.1
>>>>sshd    auth sufficient        /krb5/lib/pam_krb5.so.1
> 
> use_first_pass
> 
>>>>forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
>>>>sshd    auth required       pam_unix_auth.so.1
>>>>#
>>>>sshd    session required    pam_unix_session.so.1
>>>>sshd    session required    /krb5/lib/pam_afs2.so.1
>>>>#
>>>>
>>>>
>>>>If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
>>>>working with the Solaris 9 dtlogin, dtsession, xlock,
> 
> xscreensaver.
> 
>>>>The KDC is Windows 2003 AD.
>>>>
>>>>
>>>>
>>>>> Jan  4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug]
>>>>>PAM-KRB5 (auth): pam_sm_authenticate flags=1
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth: start: user='cbrown'
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
>>>>>Decrypt integrity check failed
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): clearing initcreds in pam_authenticate()
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth returning 9
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): prompting for password
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth: start: user='cbrown'
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
>>>>>Decrypt integrity check failed
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): clearing initcreds in pam_authenticate()
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): attempt_krb5_auth returning 9
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): pam_sm_auth finalize ccname env, result =9, env
>>>>>='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
>>>>>Jan  4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug]
> 
> PAM-KRB5
> 
>>>>>(auth): end: Authentication failed
>>>>> The problem here is it will evantually lock out our domain
> 
> account.
> 
>>>>>I am pretty sure this is not a Kerberos issue but was wondering
> 
> if
> 
>>>>>anyone else ran into this issue.  I am using Solaris 9 and the
> 
> SSH
> 
>>>>>that came with it so  Sun_SSH_1.0.1.
>>>>> thanks much,
>>>>>Tyson Oswald
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>>--
>>>>
>>>> Douglas E. Engert  <DEEngert at anl.gov>
>>>> Argonne National Laboratory
>>>> 9700 South Cass Avenue
>>>> Argonne, Illinois  60439
>>>> (630) 252-5444
>>>>
>>>
>>>
>>>
>>>
>>--
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list