Solaris ssh pam_krb

[Nicolas Williams]

On Tue, Mar 28, 2006 at 03:50:12PM -0600, Douglas E. Engert wrote:
> Fletcher Cocquyt wrote:
> > I have:
> > 1) Placed my krb5.keytab in /etc/krb5/krb5.keytab:
> > # klist -e -k /etc/krb5/krb5.keytab
> > Keytab name: FILE:/etc/krb5/krb5.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >    5 host/HOSTNAME.stanford.edu at stanford.edu (DES cbc mode with CRC-32)  
> 
> Realms are usually uppercase. Is this the correct principal? How did you
> create this keytab file?

And the hostnames in the principals are all lower case.

> > 2) configured openssh via /etc/ssh/sshd_config
> > UsePAM yes
> > 3) configured /etc/pam.conf
> > sshd auth sufficient pam_unix_auth.so.1
> > sshd auth required pam_krb5.so.1 debug
> > 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
> >     default_tgs_enctypes  = des-cbc-crc
> >     default_tkt_enctypes  = des-cbc-crc
> 
> You may want to take these last two likes out, as it might be forcing to
> only accept DES, even though the KDC and the client think it can do better.

Perhaps you're running into:

6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required

> > 
> > I am currently getting SUCCESS on krb auth, then "bad encrytion type" in
> > /var/adm/messages.
> > 
> > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth):
> > 
> > attempt_krb5_auth: start: user='fcocquyt'
> > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth):
> > 
> > attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
> > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth):
> > 
> > krb5_verify_init_creds failed: Bad encryption type 

Here the host took your username and password and got a TGT, then it got
a service ticket and then it complained about a "bad" encryption type.

What does klist -ke say?

Can you send kadmin(1) getprinc output for the host's host principal?

Is SUNWcry (supplemental crypto package, needed for AES w/ 256-bit keys)
installed?

You may be running into the CR listed above.

> > I am almost ready to give up on Sun's pam_krb and kerberos 
> 
> DOn't give up on Solaris 10 yet, it works rather well with their sshand sshd.

Thanks Doug.  I agree :)

BTW, password validation with Kerberos V is something you want, but in
the case of ssh what you really want is to use Kerberos V for network
authentication, not password validation.  The way you do this is by
first acquiring a TGT (via kinit(1) or at logon time via pam_krb5(5))
and then using the 'gssapi-keyex' and/or 'gssapi-with-mic' SSHv2
authentication methods.

See sshd(1M), sshd_config(1M), krb5_auth_rules(5), etcetera.

BTW, you can also use the security-discuss at opensolaris.org list for
Solaris- and security-specific queries.

Nico
--