MIT Kerberos and Solaris 10 Kerberos

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Jan 11 12:39:20 EST 2005 

Heilke, Rainer wrote:

>>
>>ksu is an  MIT client, it is not part of Solaris 10.   Whose 
>>Kerberized apps
>>are you using on Solaris 10 (MIT or the stuff bundled with 
>>Solaris 10) ?
> 
> 
> I understand that. I'm pointing out that the Solaris 10 system doesn't
> seem to be using the MIT Kerberos, nor the Sun Kerberos cleanly (or
> rather, the Sol10 Kerberos isn't talking to the MIT Kerberos?). It seems
> to be getting confused. (I should double-check that I'm not accidentally
> calling the MIT commands doing any of this on the Sol10 system by making
> sure they aren't in my path...) As an aside, I was told that Solaris had
> it's own ksu, possibly in something called the Encryption Kit, or
> something like that. I was able to find this package when Solaris 10
> went to Beta 6, but then it seems to have disappeared off of Sun's
> website. ??


In Solaris 10, all of the Kerberos services are already bundled,
there is no longer any external packages that need to be added.
Whoever told you 'ksu' was part of the encryption kit was mistaken,
ksu has never been part of SEAM.

The encryption kit for Solaris 10 enhances the overall crypto
capabilities of the system, the only benefit Kerberos gets is
that it can support AES-256 with the S10 encryption kit.
Without the S10 encryption kit, the strongest AES crypto
available for Kerberos in S10 is AES-128.


> 
> 
>>>Doing an rlogin to a Sol 8 machine gives no errors at all; it just
>>>quietly fails.
>>
>>- Which rlogin client are you using (MIT or Solaris) ?
>>- Which rlogin server is running on the Sol 8 system?
> 
> 
> Both. All Solaris systems other than this one (the Solaris 10 system)
> are running MIT on Solaris 8.
> 

On the S10 system, you must make sure to enable the "eklogin" service.
Run this command (as root):

# svcadm enable eklogin

If you want to use just the kerberos authenticated rlogin (without 
encryption),
try this:

# svcadm enable klogin

For Solaris 8 with the SEAM rlogin daemon, make sure your inetd.conf entries
are correct.   Don't bother with inetd.conf in S10, S10 uses the new SMF
system for managing services (its very nice once you get used to it).


> Then our entire environment is DES. Where does one set the Solaris 10
> SEAM to use DES?

You indicated below that you are using and MIT kerberos KDC on the
Solaris 8 systems.  So, the key to making things work with the S8
SEAM kerberos clients is to make sure that the host principals
for those Solaris 8 systems are only issued DES keys.   The rlogin
servers in SEAM only support DES since that is all that was
available when the S8 SEAM packages were created.

'kadmin -q 'addprinc -e des-cbc-md5:normal host/foo.bar.com"'
'kadmin -q 'ktadd -e des-cbc-md5:normal host/foo.bar.com"'

(Im not sure if the syntax for those commands is exactly correct,
but you get the idea).

Solaris 10 systems can be issued AES keys (AES-128 if the encryption
package is not installed, AES-256 otherwise) or RC4, 3DES, or DES.


> 
> We have SSH working with the MIT Kerberos (that is, logging in with SSH
> creates forwardable tickets, etc.). What I am trying to do is to SSH in
> to the Solaris 10 machine from our production lab (production and test
> are separated by a firewall, and are two different Kerberos domains),
> and then be able to rlogin to other (Solaris 8/MIT) systems in the test
> lab (that is, in the same Kerberos domain).

SSH in Solaris 10 does support GSSAPI authentication and ticket
forwarding, you may need to enable debugging to get more information
about why the GSS auth is failing (ssh -vvv  hostname).   If the host
keys on S10 are AES-256, but the system doesnt have the enhanced
crypto package, then that may be causing the failure, but I would
check the debug output from ssh first.

> 
>>- What OS is the client (rlogin or ssh) running on?
> 
> 
> Solaris 10, SEAM going one way, Solaris 8/MIT going the other.

We have tested this and it does work, but you have to make sure
that the S8 system has only DES keys.

> 
> 
>>- What OS is the server (rlogind or sshd) running on?
> 
> 
> Solaris 8, MIT for rlogind in one direction, and Solaris 10/SEAM in the
> other. Typically, I am SSH'ing in to the Solaris 10 system initially
> (from our production lab) and then trying to rlogin to the Solaris 8/MIT
> systems in the test lab (where the Solaris 10 system sits). I have also
> SSH'd to a test lab Solaris 8/MIT system, and tried to rlogin to the
> Solaris 10/SEAM system.

All of this should work, start by getting detailed log information from the
SSH session to see why that part is failing.


-Wyllys

More information about the Kerberos mailing list