Solaris 10 ssh logins + w2k3 AD native mode
Douglas E. Engert
deengert at anl.gov
Thu Mar 16 13:58:02 EST 2006
Yes there are mods to PuTTY for GSSAPI,
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/kerberos-gssapi.htm
lists a few, and this one:
"Another patch here adds support for GSSAPI user authentication
using the MIT Kerberos library. (A previous version of this
patch has been reviewed and found wanting.)"
http://sweb.cz/v_t_m/
I have not found it wanting, and it works well using either the
built in MS SSPI or the MIT KfW, to the SOlaris 10 sshd.
I see you are also asking about AFS in another thread. The Solaris 10
sshd calling the Solaris 10 pam_krb5 with a additional pam_afs2
can be used to get AFS tokens too.
Barry Allard wrote:
> Hi Wyllys,
>
> Primary goal: Kerberize ssh keyboard interactive logins in
> enterprise-administration-friendly way.
>
> Secondary objective #A: manage user authorization (who can login)
> through Active Directory instead of locally (hacking a bunch of text
> files for each new user). create home directory, etc.
>
> Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
> automagically login by Active Directory's kerb ticket (not hostkeys). I
> have seen it working using Centrify ($) PAM mod on the Linux, and no
> mods to windows box.
>
> Thanks,
> Barry
>
>
> Wyllys Ingersoll wrote:
>
>
>>Barry Allard wrote:
>>
>>
>>>Hi,
>>>
>>>This might have been answered in a previous post(s)...
>>>
>>>I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch
>>>build
>>>docs on it. Specifically, I'd like to get kerberos working for
>>>authenication, and LDAP/AD groups working for authorization. Even
>>>better
>>>would be to minimize admin tasks by not having to touch passwd, group,
>>>keytab for every new user, just have PAM modules do it.
>>>
>>
>>
>>
>>The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5
>>authentication.
>>
>>It's not clear to me what you are trying to do with PAM, though. Can
>>you explain
>>in a little more detail?
>>
>>thanks,
>> Wyllys
>>
>>
>>
>>
>>>kinit works great
>>>
>>>------------------- /etc/pam.conf -------------------------
>>>
>>>#
>>>#ident "@(#)pam.conf 1.28 04/04/21 SMI"
>>>#
>>># Copyright 2004 Sun Microsystems, Inc. All rights reserved.
>>># Use is subject to license terms.
>>>#
>>># PAM configuration
>>>#
>>># Unless explicitly defined, all services use the modules
>>># defined in the "other" section.
>>>#
>>># Modules are defined with relative pathnames, i.e., they are
>>># relative to /usr/lib/security/$ISA. Absolute path names, as
>>># present in this file in previous releases are still acceptable.
>>>#
>>># Authentication management
>>>#
>>># login service (explicit because of pam_dial_auth)
>>>#
>>>login auth requisite pam_authtok_get.so.1
>>>login auth required pam_dhkeys.so.1
>>>login auth required pam_unix_cred.so.1
>>>login auth required pam_unix_auth.so.1
>>>login auth required pam_dial_auth.so.1
>>>
>>>
>>># not sure about these... Kerb only would be fine, or Unix as fallback.
>>>sshd-kbdint auth requisite pam_authtok_get.so.1
>>>sshd-kbdint auth required pam_dhkeys.so.1
>>>sshd-kbdint auth required pam_unix_cred.so.1
>>>sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
>>>sshd-kbdint auth optional pam_unix_auth.so.1
>>>
>>>#
>>># rlogin service (explicit because of pam_rhost_auth)
>>>#
>>>rlogin auth sufficient pam_rhosts_auth.so.1
>>>rlogin auth requisite pam_authtok_get.so.1
>>>rlogin auth required pam_dhkeys.so.1
>>>rlogin auth required pam_unix_cred.so.1
>>>rlogin auth required pam_unix_auth.so.1
>>>#
>>># Kerberized rlogin service
>>>#
>>>krlogin auth required pam_unix_cred.so.1
>>>krlogin auth binding pam_krb5.so.1
>>>krlogin auth required pam_unix_auth.so.1
>>>#
>>># rsh service (explicit because of pam_rhost_auth,
>>># and pam_unix_auth for meaningful pam_setcred)
>>>#
>>>rsh auth sufficient pam_rhosts_auth.so.1
>>>rsh auth required pam_unix_cred.so.1
>>>#
>>># Kerberized rsh service
>>>#
>>>krsh auth required pam_unix_cred.so.1
>>>krsh auth binding pam_krb5.so.1
>>>krsh auth required pam_unix_auth.so.1
>>>#
>>># Kerberized telnet service
>>>#
>>>ktelnet auth required pam_unix_cred.so.1
>>>ktelnet auth binding pam_krb5.so.1
>>>ktelnet auth required pam_unix_auth.so.1
>>>#
>>># PPP service (explicit because of pam_dial_auth)
>>>#
>>>ppp auth requisite pam_authtok_get.so.1
>>>ppp auth required pam_dhkeys.so.1
>>>ppp auth required pam_unix_cred.so.1
>>>ppp auth required pam_unix_auth.so.1
>>>ppp auth required pam_dial_auth.so.1
>>>#
>>># Default definitions for Authentication management
>>># Used when service name is not explicitly mentioned for authentication
>>>#
>>>other auth requisite pam_authtok_get.so.1
>>>other auth required pam_dhkeys.so.1
>>>other auth required pam_unix_cred.so.1
>>>other auth required pam_unix_auth.so.1
>>>#
>>># passwd command (explicit because of a different authentication module)
>>>#
>>>passwd auth required pam_passwd_auth.so.1
>>>#
>>># cron service (explicit because of non-usage of pam_roles.so.1)
>>>#
>>>cron account required pam_unix_account.so.1
>>>#
>>># Default definition for Account management
>>># Used when service name is not explicitly mentioned for account
>>>management
>>>#
>>>other account requisite pam_roles.so.1
>>>other account required pam_unix_account.so.1
>>>#
>>># Default definition for Session management
>>># Used when service name is not explicitly mentioned for session
>>>management
>>>#
>>>other session sufficient pam_krb5.so.1
>>>other session required pam_unix_session.so.1
>>>#
>>># Default definition for Password management
>>># Used when service name is not explicitly mentioned for password
>>>management
>>>#
>>>other password required pam_dhkeys.so.1
>>>other password requisite pam_authtok_get.so.1
>>>other password requisite pam_authtok_check.so.1
>>>other password required pam_authtok_store.so.1
>>>#
>>># Support for Kerberos V5 authentication and example configurations can
>>># be found in the pam_krb5(5) man page under the "EXAMPLES" section.
>>>#
>>># --- EXAMPLES not all that helpful :-(
>>>
>>>------------------- /etc/krb5/krb5.conf -------------------
>>>
>>>[libdefaults]
>>>default_realm = WIN.STANFORD.EDU
>>>forwardable = true
>>>proxiable = true
>>>dns_lookup_realm = true
>>>dns_lookup_kdc = false
>>>
>>>[realms]
>>>
>>>WIN.STANFORD.EDU = {
>>>kdc = 171.64.7.177
>>>admin_server = 171.64.7.177:88
>>>}
>>>
>>>SOM.WIN.STANFORD.EDU = {
>>>kdc = 171.64.7.171
>>>admin_server = 171.64.7.171:88
>>>}
>>>
>>>[domain_realm]
>>>win.stanford.edu = WIN.STANFORD.EDU
>>>.win.stanford.edu = WIN.STANFORD.EDU
>>>som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>>>.som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>>>
>>>[appdefaults]
>>>
>>> pam = {
>>> debug = true
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>> }
>>>
>>> kinit = {
>>> renewable = true
>>> forwardable = true
>>> proxiable = false
>>> }
>>>
>>> login = {
>>> krb5_get_tickets = true
>>> }
>>>
>>>
>>>
>>>Thanks,
>>>Barry Allard
>>>Stanford Med School
>>>MedIRT
>>>
>>>Solaris geek level: noob++
>>>Windows geek level: domainadmin- (cant change DCs or make schema
>>>changes)
>>>Krb geek level: user--
>>>________________________________________________
>>>Kerberos mailing list Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list