Solaris ssh pam_krb

Douglas E. Engert deengert at anl.gov
Tue Mar 28 16:50:12 EST 2006 


Fletcher Cocquyt wrote:

> Hi,
> 
> I am attempting to get our Solaris 9 and 10 servers to use campus kdc for ssh
> 
> authentication.
> 
> I want to end up with a "cookbook" of step by step instructions on how to
> 
> convert a fresh install of Solaris to kerberized ssh.
> 
> Currently I am trying to make it work with Sun's pam_krb linked to Sun's
>  kerberos.
> I am using the latest openssh4.3 and openssl0.9.8a (preferred because they will
> 
> keep more up to date than Sun's patches)

On Solaris 10, the Solaris ssh and sshd work pretty well with the Solaris 10
Kerberos. We can even get them to get AFS tokens.

Solaris 9 is a different story. We use The MIT Kerberos and OpenSSH.

> 
> I have:
> 1) Placed my krb5.keytab in /etc/krb5/krb5.keytab:
> # klist -e -k /etc/krb5/krb5.keytab
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    5 host/HOSTNAME.stanford.edu at stanford.edu (DES cbc mode with CRC-32)  

Realms are usually uppercase. Is this the correct principal? How did you
create this keytab file?

> 2) configured openssh via /etc/ssh/sshd_config
> UsePAM yes
> 3) configured /etc/pam.conf
> sshd auth sufficient pam_unix_auth.so.1
> sshd auth required pam_krb5.so.1 debug
> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
>     default_tgs_enctypes  = des-cbc-crc
>     default_tkt_enctypes  = des-cbc-crc

You may want to take these last two likes out, as it might be forcing to
only accept DES, even though the KDC and the client think it can do better.

> 
> I am currently getting SUCCESS on krb auth, then "bad encrytion type" in
> /var/adm/messages.
> 
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth):
> 
> attempt_krb5_auth: start: user='fcocquyt'
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth):
> 
> attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
> Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth):
> 
> krb5_verify_init_creds failed: Bad encryption type 
> 
> I am almost ready to give up on Sun's pam_krb and kerberos 

DOn't give up on Solaris 10 yet, it works rather well with their sshand sshd.

- (I've compiled the
> 
> latest kerberos from MIT and stowed it in /usr/local) - but the pam_krb source I
> 
> found on sourceforge looks SOOOOOOOO out of date....
> 
> Can anyone advise how to proceed - whether Sun's pam_krb will work, or how to
> 
> get a pam_krb working from RedHat's source rpms?
> 
> Any help would be appreciated!
> 
> Many thanks,
> 
> Fletcher.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list