Solaris 10 ssh logins + w2k3 AD native mode
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Mar 16 08:45:26 EST 2006
Barry Allard wrote:
> Hi,
>
> This might have been answered in a previous post(s)...
>
> I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch build
> docs on it. Specifically, I'd like to get kerberos working for
> authenication, and LDAP/AD groups working for authorization. Even better
> would be to minimize admin tasks by not having to touch passwd, group,
> keytab for every new user, just have PAM modules do it.
>
The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5
authentication.
It's not clear to me what you are trying to do with PAM, though. Can
you explain
in a little more detail?
thanks,
Wyllys
> kinit works great
>
> ------------------- /etc/pam.conf -------------------------
>
> #
> #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
>
> # not sure about these... Kerb only would be fine, or Unix as fallback.
> sshd-kbdint auth requisite pam_authtok_get.so.1
> sshd-kbdint auth required pam_dhkeys.so.1
> sshd-kbdint auth required pam_unix_cred.so.1
> sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
> sshd-kbdint auth optional pam_unix_auth.so.1
>
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth binding pam_krb5.so.1
> krsh auth required pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session sufficient pam_krb5.so.1
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> # --- EXAMPLES not all that helpful :-(
>
> ------------------- /etc/krb5/krb5.conf -------------------
>
> [libdefaults]
> default_realm = WIN.STANFORD.EDU
> forwardable = true
> proxiable = true
> dns_lookup_realm = true
> dns_lookup_kdc = false
>
> [realms]
>
> WIN.STANFORD.EDU = {
> kdc = 171.64.7.177
> admin_server = 171.64.7.177:88
> }
>
> SOM.WIN.STANFORD.EDU = {
> kdc = 171.64.7.171
> admin_server = 171.64.7.171:88
> }
>
> [domain_realm]
> win.stanford.edu = WIN.STANFORD.EDU
> .win.stanford.edu = WIN.STANFORD.EDU
> som.win.stanford.edu = SOM.WIN.STANFORD.EDU
> .som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>
> [appdefaults]
>
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> kinit = {
> renewable = true
> forwardable = true
> proxiable = false
> }
>
> login = {
> krb5_get_tickets = true
> }
>
>
>
> Thanks,
> Barry Allard
> Stanford Med School
> MedIRT
>
> Solaris geek level: noob++
> Windows geek level: domainadmin- (cant change DCs or make schema changes)
> Krb geek level: user--
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list