Solaris 9 Authentication

Michael Marziani mdmarziani at yahoo.com
Wed Jun 29 18:28:36 EDT 2005 

"Decrypt integrity check" errors usually point to a keytab problem.  Although
I'm somewhat unsure why you had to copy your kadm5.keytab from the master
server, you should have instead created keytabs for each host.  In my setup (we
use Solaris 9 SEAM KDCs with Solaris 9 and Red Hat clients) for each ssh server
I want authenticating to the KDCs I simply log into kadmin from that host with
an admin principal, add a host principle for that server to the database, then
export a keytab containing the host pricipal.

On new host:
> kadmin -p <name>/admin
kadmin: addprinc -randkey host/<FQDN>
kadmin: ktadd host/<FQDN>

That should add the host service key to the default keytab on the system which
should be visible to pam_krb5.

Then adjust pam.conf to use pam_krb5 in the right places.

I'd feel strange moving my master kadm5.keytab to other servers, as I don't
think that's intended or necessary.  The Kerberos FAQ subject 2.3 seems to back
this up:

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#filesappserv

Best regards,

-Michael


--- scanell <scanell at jpl.nasa.gov> wrote:

> Since ssh authentication is taking place on the SUN server, I took a 
> copy of the keytab file from the Master kerberos server and placed it 
> place of the one created by running ktadd on hostA... now hostA has a 
> copy of the kadm5.keytab from the Master server.
> 
> Once I did this (and this was the same for the SLAVE Kerberos server), 
> then pre-auth works and I was able to sign in to hostA from another 
> Solaris box.
> 
> Can anyone tell me why this works... I am presuming it has something to 
> do with local authentication on hostA that requires the keytab file from 
> the Master where the ticket was originally created and thus the keytab 
> has the data necessary for decryption.
> 
> Steve
> 
> scanell wrote:
> 
> > Configuration:
> > MIT Kerberos 1.4
> > Solaris 9 Master
> > Solaris 9, MAC OSX, & PC Clients
> > /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> > Pre-Auth enabled
> >
> > Issue:
> > MAC and PC clients using ssh authenticate successfully against Solaris 
> > 9 servers and Kerberos system.
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client host>
> > motd message
> > $
> >
> > Solaris 9 clients get the following error when using Kerberos 
> > authentication:
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Permission denied, please try again.
> > <username>@<hostA> Password: <Enter Shadow Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> > motd message
> > $
> >
> > Master kdc.log:
> > Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ 
> > (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username at REALM> 
> > for krbtgt at REALM, Decrypt integrity check failed
> >
> > Steve
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list