Solaris 9 Authentication
scanell
scanell at jpl.nasa.gov
Wed Jun 29 17:41:17 EDT 2005
Since ssh authentication is taking place on the SUN server, I took a
copy of the keytab file from the Master kerberos server and placed it
place of the one created by running ktadd on hostA... now hostA has a
copy of the kadm5.keytab from the Master server.
Once I did this (and this was the same for the SLAVE Kerberos server),
then pre-auth works and I was able to sign in to hostA from another
Solaris box.
Can anyone tell me why this works... I am presuming it has something to
do with local authentication on hostA that requires the keytab file from
the Master where the ticket was originally created and thus the keytab
has the data necessary for decryption.
Steve
scanell wrote:
> Configuration:
> MIT Kerberos 1.4
> Solaris 9 Master
> Solaris 9, MAC OSX, & PC Clients
> /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> Pre-Auth enabled
>
> Issue:
> MAC and PC clients using ssh authenticate successfully against Solaris
> 9 servers and Kerberos system.
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client host>
> motd message
> $
>
> Solaris 9 clients get the following error when using Kerberos
> authentication:
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Permission denied, please try again.
> <username>@<hostA> Password: <Enter Shadow Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> motd message
> $
>
> Master kdc.log:
> Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ
> (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username at REALM>
> for krbtgt at REALM, Decrypt integrity check failed
>
> Steve
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list