Solaris 10 ssh logins + w2k3 AD native mode

Douglas E. Engert deengert at anl.gov
Thu Mar 16 13:58:02 EST 2006


Yes there are mods to PuTTY for GSSAPI,

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/kerberos-gssapi.htm
lists a few, and this one:

  "Another patch here adds support for GSSAPI user authentication
   using the MIT Kerberos library. (A previous version of this
    patch has been reviewed and found wanting.)"

http://sweb.cz/v_t_m/

I have not found it wanting, and it works well using either the
built in MS SSPI or the MIT KfW, to the SOlaris 10 sshd.

I see you are also asking about AFS in another thread. The Solaris 10
sshd calling the Solaris 10 pam_krb5 with a additional pam_afs2
can be used to get AFS tokens too.


Barry Allard wrote:
> Hi Wyllys,
> 
> Primary goal: Kerberize ssh keyboard interactive logins in 
> enterprise-administration-friendly way.
>



> Secondary objective #A: manage user authorization (who can login) 
> through Active Directory instead of locally (hacking a bunch of text 
> files for each new user). create home directory, etc.


> 
> Secondary objective #B: ssh (putty) from windows -> sol 10 box ... 
> automagically login by Active Directory's kerb ticket (not hostkeys).  I 
> have seen it working using Centrify ($) PAM mod on the Linux, and no 
> mods to windows box.
> 
> Thanks,
> Barry
> 
> 
> Wyllys Ingersoll wrote:
> 
> 
>>Barry Allard wrote:
>>
>>
>>>Hi,
>>>
>>>This might have been answered in a previous post(s)...
>>>
>>>I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch 
>>>build
>>>docs on it.  Specifically, I'd like to get kerberos working for
>>>authenication, and LDAP/AD groups working for authorization.  Even 
>>>better
>>>would be to minimize admin tasks by not having to touch passwd, group,
>>>keytab for every new user, just have PAM modules do it.
>>>  
>>
>>
>>
>>The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5 
>>authentication.
>>
>>It's not clear to me what you are trying to do with PAM, though.  Can 
>>you explain
>>in a little more detail?
>>
>>thanks,
>>   Wyllys
>>
>>
>>
>>
>>>kinit works great
>>>
>>>------------------- /etc/pam.conf -------------------------
>>>
>>>#
>>>#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
>>>#
>>># Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
>>># Use is subject to license terms.
>>>#
>>># PAM configuration
>>>#
>>># Unless explicitly defined, all services use the modules
>>># defined in the "other" section.
>>>#
>>># Modules are defined with relative pathnames, i.e., they are
>>># relative to /usr/lib/security/$ISA. Absolute path names, as
>>># present in this file in previous releases are still acceptable.
>>>#
>>># Authentication management
>>>#
>>># login service (explicit because of pam_dial_auth)
>>>#
>>>login   auth requisite          pam_authtok_get.so.1
>>>login   auth required           pam_dhkeys.so.1
>>>login   auth required           pam_unix_cred.so.1
>>>login   auth required           pam_unix_auth.so.1
>>>login   auth required           pam_dial_auth.so.1
>>>
>>>
>>># not sure about these... Kerb only would be fine, or Unix as fallback.
>>>sshd-kbdint    auth requisite          pam_authtok_get.so.1
>>>sshd-kbdint    auth required           pam_dhkeys.so.1
>>>sshd-kbdint     auth required           pam_unix_cred.so.1
>>>sshd-kbdint   auth sufficient         pam_krb5.so.1 use_first_pass debug
>>>sshd-kbdint    auth optional         pam_unix_auth.so.1
>>>
>>>#
>>># rlogin service (explicit because of pam_rhost_auth)
>>>#
>>>rlogin  auth sufficient         pam_rhosts_auth.so.1
>>>rlogin  auth requisite          pam_authtok_get.so.1
>>>rlogin  auth required           pam_dhkeys.so.1
>>>rlogin  auth required           pam_unix_cred.so.1
>>>rlogin  auth required           pam_unix_auth.so.1
>>>#
>>># Kerberized rlogin service
>>>#
>>>krlogin auth required           pam_unix_cred.so.1
>>>krlogin auth binding            pam_krb5.so.1
>>>krlogin auth required           pam_unix_auth.so.1
>>>#
>>># rsh service (explicit because of pam_rhost_auth,
>>># and pam_unix_auth for meaningful pam_setcred)
>>>#
>>>rsh     auth sufficient         pam_rhosts_auth.so.1
>>>rsh     auth required           pam_unix_cred.so.1
>>>#
>>># Kerberized rsh service
>>>#
>>>krsh    auth required           pam_unix_cred.so.1
>>>krsh    auth binding            pam_krb5.so.1
>>>krsh    auth required           pam_unix_auth.so.1
>>>#
>>># Kerberized telnet service
>>>#
>>>ktelnet auth required           pam_unix_cred.so.1
>>>ktelnet auth binding            pam_krb5.so.1
>>>ktelnet auth required           pam_unix_auth.so.1
>>>#
>>># PPP service (explicit because of pam_dial_auth)
>>>#
>>>ppp     auth requisite          pam_authtok_get.so.1
>>>ppp     auth required           pam_dhkeys.so.1
>>>ppp     auth required           pam_unix_cred.so.1
>>>ppp     auth required           pam_unix_auth.so.1
>>>ppp     auth required           pam_dial_auth.so.1
>>>#
>>># Default definitions for Authentication management
>>># Used when service name is not explicitly mentioned for authentication
>>>#
>>>other   auth requisite          pam_authtok_get.so.1
>>>other   auth required           pam_dhkeys.so.1
>>>other   auth required           pam_unix_cred.so.1
>>>other   auth required           pam_unix_auth.so.1
>>>#
>>># passwd command (explicit because of a different authentication module)
>>>#
>>>passwd  auth required           pam_passwd_auth.so.1
>>>#
>>># cron service (explicit because of non-usage of pam_roles.so.1)
>>>#
>>>cron    account required        pam_unix_account.so.1
>>>#
>>># Default definition for Account management
>>># Used when service name is not explicitly mentioned for account 
>>>management
>>>#
>>>other   account requisite       pam_roles.so.1
>>>other   account required        pam_unix_account.so.1
>>>#
>>># Default definition for Session management
>>># Used when service name is not explicitly mentioned for session 
>>>management
>>>#
>>>other   session sufficient      pam_krb5.so.1
>>>other   session required        pam_unix_session.so.1
>>>#
>>># Default definition for  Password management
>>># Used when service name is not explicitly mentioned for password 
>>>management
>>>#
>>>other   password required       pam_dhkeys.so.1
>>>other   password requisite      pam_authtok_get.so.1
>>>other   password requisite      pam_authtok_check.so.1
>>>other   password required       pam_authtok_store.so.1
>>>#
>>># Support for Kerberos V5 authentication and example configurations can
>>># be found in the pam_krb5(5) man page under the "EXAMPLES" section.
>>>#
>>># --- EXAMPLES not all that helpful :-(
>>>
>>>------------------- /etc/krb5/krb5.conf -------------------
>>>
>>>[libdefaults]
>>>default_realm = WIN.STANFORD.EDU
>>>forwardable = true
>>>proxiable = true
>>>dns_lookup_realm = true
>>>dns_lookup_kdc = false
>>>
>>>[realms]
>>>
>>>WIN.STANFORD.EDU = {
>>>kdc = 171.64.7.177
>>>admin_server = 171.64.7.177:88
>>>}
>>>
>>>SOM.WIN.STANFORD.EDU = {
>>>kdc = 171.64.7.171
>>>admin_server = 171.64.7.171:88
>>>}
>>>
>>>[domain_realm]
>>>win.stanford.edu = WIN.STANFORD.EDU
>>>.win.stanford.edu = WIN.STANFORD.EDU
>>>som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>>>.som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>>>
>>>[appdefaults]
>>>
>>>        pam = {
>>>                debug = true
>>>                ticket_lifetime = 36000
>>>                renew_lifetime = 36000
>>>                forwardable = true
>>>                krb4_convert = false
>>>        }
>>>
>>>        kinit = {
>>>                renewable = true
>>>                forwardable = true
>>>                proxiable = false
>>>        }
>>>
>>>        login = {
>>>                krb5_get_tickets = true
>>>        }
>>>
>>>
>>>
>>>Thanks,
>>>Barry Allard
>>>Stanford Med School
>>>MedIRT
>>>
>>>Solaris geek level: noob++
>>>Windows geek level: domainadmin- (cant change DCs or make schema 
>>>changes)
>>>Krb geek level:     user--
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>  
>>
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list