SUMMARY: Solaris ssh pam_krb

Fletcher Cocquyt fcocquyt at stanford.edu
Wed Apr 5 02:41:48 EDT 2006 

Original Question
Fletcher Cocquyt <fcocquyt <at> stanford.edu> writes:

> 
> Hi,
> 
> I am attempting to get our Solaris 9 and 10 servers to use campus kdc for ssh
> 
> authentication.
> 
> I want to end up with a "cookbook" of step by step instructions on how to
> 
> convert a fresh install of Solaris to kerberized ssh.
> 
> Currently I am trying to make it work with Sun's pam_krb linked to Sun's
>  kerberos.
> I am using the latest openssh4.3 and openssl0.9.8a (preferred because theywill
> 
> keep more up to date than Sun's patches)
> 
> I have:
> 1) Placed my krb5.keytab in /etc/krb5/krb5.keytab:
> # klist -e -k /etc/krb5/krb5.keytab
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    5 host/HOSTNAME.stanford.edu <at> stanford.edu (DES cbc mode with CRC-32)  
> 2) configured openssh via /etc/ssh/sshd_config
> UsePAM yes
> 3) configured /etc/pam.conf
> sshd auth sufficient pam_unix_auth.so.1
> sshd auth required pam_krb5.so.1 debug
> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
>     default_tgs_enctypes  = des-cbc-crc
>     default_tkt_enctypes  = des-cbc-crc
> 
> I am currently getting SUCCESS on krb auth, then "bad encrytion type" in
> /var/adm/messages.
> 
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth):
> 
> attempt_krb5_auth: start: user='fcocquyt'
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth):
> 
> attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth):
> 
> krb5_verify_init_creds failed: Bad encryption type 
> 
> I am almost ready to give up on Sun's pam_krb and kerberos - (I've compiled 
> 
> latest kerberos from MIT and stowed it in /usr/local) - but the pam_krb source 
> 
> found on sourceforge looks SOOOOOOOO out of date....
> 
> Can anyone advise how to proceed - whether Sun's pam_krb will work, or how to
> 
> get a pam_krb working from RedHat's source rpms?
> 
> Any help would be appreciated!
> 
> Many thanks,
> 
> Fletcher.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos <at> mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
Esteemed pam/krb authenticators,

The "bad encryption type" error turned out to be due to these two lines in the

/etc/krb5.conf (in the libdefaults):
    kdc_req_checksum_type = 2
    ap_req_checksum_type  = 2

While not an issue on our Linux servers, the md4 checksums they specify were an

issue for Solaris 9,10.

Commenting them out at the suggestion of Will Fiveash (Sun) resolved the issue

and we are happily sshing to all Solaris 9,10 servers with kerberos 

authentication.

I'd like to thank all those who helped - especially 
Will Fiveash
Russ Allbery
Nicolas Williams
Douglas E. Engert

Sun has updated their krg-diag script to catch this issue in the future.

Cheers,
Fletcher.

More information about the Kerberos mailing list