Authenticating via Kerberos in SSH on Solaris 9
oswaldt@ameritech.net
oswaldt at ameritech.net
Mon Jan 10 15:01:19 EST 2005
We ended up deleting the host account in AD and re-creating it, and
that solved the issue. My guess is somehow the account got corrupted
as we had generated the key many times with not resolve.
-Tyson
"Douglas E. Engert" wrote:
> oswaldt at ameritech.net wrote:
>
> > I'm still getting the error "krb5_verify_init_creds failed: Decrypt
> > integrity check failed" What does this mean? Does this mean the
> > encryption type is bad? We had this working at one point and
> > regernated out host key and now we are getting his strange error.
> >
>
> Its from KRB5KRB_AP_ERR_BAD_INTEGRITY and generated in a copule
> of places. After a decrypt operation the message checksum is computed
> and compared to the checksum in the message. If they don't agree it
> usually means the key used to encrypt does not match the key used to
> decrypt. (It could also be the message was modified, or a programing
> error with the way the checksum is generated or the key derived.)
>
> So if you regenerated your hosts keys, it is most likely
> they did not get updated correctly. If you have the output file
> from the ktpass, you can dump it in hex as well as dump
> the krb5.keytab and see if the same keys are in both.
>
>
>
> > thanks,
> >
> > Tyson
> > "Douglas E. Engert" wrote:
> >
> >>Tyson Oswald wrote:
> >>
> >>
> >>>That seems to fix the issue of locking the account but it still
> >
> > dumps
> >
> >>>that message in the log. I will try and use use_first_pass and
see
> >
> > if
> >
> >>>that makes a difference. Adding the pam_getauth_ok seemed to fix
> >
> > the
> >
> >>>lockout problem. It's slow going since everything has to be
> >
> > approved
> >
> >>>before we can make changes to our AD since we are part of a huge
> >
> > forrest.
> >
> >>You say it works with login but not sshd? That would indicate that
> >
> > the
> >
> >>Solaris Kerberos libs and pam_krb5 can handle the tickets, and the
> >
> > decrypt
> >
> >>message indicates that the password could not be turned into a key
as
> >
> > expected.
> >
> >>You could also write a simple PAM debug exit of your own, and have
it
> >>log the user and password as seen by PAM. Then include this before
> >
> > and after
> >
> >>the pam_krb5. It could be the Solaris sshd is not passing the
> >
> > password
> >
> >>correctly to PAM.
> >>
> >>Ethereal might also help to see what packets the are being sent.
> >>
> >>
> >>
> >>>thanks for the help.
> >>>
> >>>Tyson
> >>>On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:
> >>>
> >>>
> >>>>
> >>>>Tyson Oswald wrote:
> >>>>
> >>>>
> >>>>>Greetings All,
> >>>>> I have been making good progress in getting Kerberos to work on
> >>>>>Solaris 9 and Windows AD. I have it working very well from the
> >>>>>console. Problems arise when I use SSH. I have my pam.conf
> >>>>>configured as follows for SSH which is identical to login
> >>>>> sshd auth sufficient pam_unix_auth.so.1
> >>>>>sshd auth required pam_krb5.so.1 try_first_pass
debug
> >>>>
> >>>>
> >>>>>When I connect to SSH it does an initial call to the DC before I
> >
> > even
> >
> >>>>>enter my password, like so
> >>>>
> >>>>
> >>>>So do you also have the sshd auth requisite pam_authok_get.so.1
> >>>>before these? It should prompt for the initial password. It might
> >>>>be that the try_first_pass is trying the null string passed by
> >
> > sshd
> >
> >>>>to pam, thus the first decrypt failure message.
> >>>>
> >>>>We are using something like this, but not using the Solaris
> >
> > pam_krb5:
> >
> >>>># sshd - keyboard interactive uses all PAM exists, but
> >>>># privsep gets in the way. So use force.
> >>>># PAM session is called when GSSAPI delegation or
> >>>># Kerberos password used, so get AFS token in all
> >
> > three
> >
> >>>>cases.
> >>>># We want a session type cache, so with ANL PAM
> >>>># pass in ccache=
> >>>># We need ccache= on HP as it does not have pam_putenv
> >>>># RedHat PAM uses session cache already
> >>>>#
> >>>>sshd auth requisite pam_authtok_get.so.1
> >>>>sshd auth required pam_dhkeys.so.1
> >>>>sshd auth sufficient /krb5/lib/pam_krb5.so.1
> >
> > use_first_pass
> >
> >>>>forwardable force_creds cache=/tmp/krb5cc_u%u_p%p
> >>>>sshd auth required pam_unix_auth.so.1
> >>>>#
> >>>>sshd session required pam_unix_session.so.1
> >>>>sshd session required /krb5/lib/pam_afs2.so.1
> >>>>#
> >>>>
> >>>>
> >>>>If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1
> >>>>working with the Solaris 9 dtlogin, dtsession, xlock,
> >
> > xscreensaver.
> >
> >>>>The KDC is Windows 2003 AD.
> >>>>
> >>>>
> >>>>
> >>>>> Jan 4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug]
> >>>>>PAM-KRB5 (auth): pam_sm_authenticate flags=1
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth: start: user='cbrown'
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
> >>>>>Decrypt integrity check failed
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): clearing initcreds in pam_authenticate()
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth returning 9
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): prompting for password
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth: start: user='cbrown'
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
> >>>>>Decrypt integrity check failed
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): clearing initcreds in pam_authenticate()
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): attempt_krb5_auth returning 9
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): pam_sm_auth finalize ccname env, result =9, env
> >>>>>='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9
> >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug]
> >
> > PAM-KRB5
> >
> >>>>>(auth): end: Authentication failed
> >>>>> The problem here is it will evantually lock out our domain
> >
> > account.
> >
> >>>>>I am pretty sure this is not a Kerberos issue but was wondering
> >
> > if
> >
> >>>>>anyone else ran into this issue. I am using Solaris 9 and the
> >
> > SSH
> >
> >>>>>that came with it so Sun_SSH_1.0.1.
> >>>>> thanks much,
> >>>>>Tyson Oswald
> >>>>>________________________________________________
> >>>>>Kerberos mailing list Kerberos at mit.edu
> >>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
> >>>>
> >>>>
> >>>>--
> >>>>
> >>>> Douglas E. Engert <DEEngert at anl.gov>
> >>>> Argonne National Laboratory
> >>>> 9700 South Cass Avenue
> >>>> Argonne, Illinois 60439
> >>>> (630) 252-5444
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>
> >> Douglas E. Engert <DEEngert at anl.gov>
> >> Argonne National Laboratory
> >> 9700 South Cass Avenue
> >> Argonne, Illinois 60439
> >> (630) 252-5444
> >>________________________________________________
> >>Kerberos mailing list Kerberos at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list