Solaris ssh pam_krb

Fletcher Cocquyt fcocquyt at
Tue Mar 28 16:24:02 EST 2006


I am attempting to get our Solaris 9 and 10 servers to use campus kdc for ssh


I want to end up with a "cookbook" of step by step instructions on how to

convert a fresh install of Solaris to kerberized ssh.

Currently I am trying to make it work with Sun's pam_krb linked to Sun's
I am using the latest openssh4.3 and openssl0.9.8a (preferred because they will

keep more up to date than Sun's patches)

I have:
1) Placed my krb5.keytab in /etc/krb5/krb5.keytab:
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/ at (DES cbc mode with CRC-32)  
2) configured openssh via /etc/ssh/sshd_config
UsePAM yes
3) configured /etc/pam.conf
sshd auth sufficient
sshd auth required debug
4) /etc/krb5/krb5.conf is the standard one from campus and includes:
    default_tgs_enctypes  = des-cbc-crc
    default_tkt_enctypes  = des-cbc-crc

I am currently getting SUCCESS on krb auth, then "bad encrytion type" in

Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth):

attempt_krb5_auth: start: user='fcocquyt'
Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth):

attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth):

krb5_verify_init_creds failed: Bad encryption type 

I am almost ready to give up on Sun's pam_krb and kerberos - (I've compiled the

latest kerberos from MIT and stowed it in /usr/local) - but the pam_krb source I

found on sourceforge looks SOOOOOOOO out of date....

Can anyone advise how to proceed - whether Sun's pam_krb will work, or how to

get a pam_krb working from RedHat's source rpms?

Any help would be appreciated!

Many thanks,


More information about the Kerberos mailing list