Solaris 9 Authentication

[scanell]

Since ssh authentication is taking place on the SUN server, I took a 
copy of the keytab file from the Master kerberos server and placed it 
place of the one created by running ktadd on hostA... now hostA has a 
copy of the kadm5.keytab from the Master server.

Once I did this (and this was the same for the SLAVE Kerberos server), 
then pre-auth works and I was able to sign in to hostA from another 
Solaris box.

Can anyone tell me why this works... I am presuming it has something to 
do with local authentication on hostA that requires the keytab file from 
the Master where the ticket was originally created and thus the keytab 
has the data necessary for decryption.

Steve

scanell wrote:

> Configuration:
> MIT Kerberos 1.4
> Solaris 9 Master
> Solaris 9, MAC OSX, & PC Clients
> /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> Pre-Auth enabled
>
> Issue:
> MAC and PC clients using ssh authenticate successfully against Solaris 
> 9 servers and Kerberos system.
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client host>
> motd message
> $
>
> Solaris 9 clients get the following error when using Kerberos 
> authentication:
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Permission denied, please try again.
> <username>@<hostA> Password: <Enter Shadow Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> motd message
> $
>
> Master kdc.log:
> Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ 
> (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username at REALM> 
> for krbtgt at REALM, Decrypt integrity check failed
>
> Steve
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>