Kerberos and Solaris 9 problems
Richard E. Silverman
res at qoxp.net
Thu Mar 30 20:43:34 EST 2006
> Hey all,
>
> I'm trying to configure a Solaris 9 server to authenticate against an
> Win 2000 ADS server with mixed results and was looking for some
> insight.
>
> So here's the thing; Once logged in, I can run kinit and aquire a
> ticket:
>
> # kinit
> Password for user_name at REALM.COM:
> # klist
> Ticket cache: /tmp/krb5cc_7155
> Default principal: user_name at REALM.COM
>
> Valid starting Expires
> Service principal
> Thu Mar 30 16:14:41 2006 Fri Mar 31 02:14:41 2006
> krbtgt/REALM.COM at REALM.COM
> renew until Thu Apr 06 17:14:41 2006
>
>
> But, I can not authenticate with PAM to save my life (with any remote
> client; telnet, ssh, etc).
>
> Sshd's PAM entry looks like:
>
> sshd auth requisite pam_authtok_get.so.1
> sshd auth required pam_dhkeys.so.1
> sshd auth required pam_krb5.so.1 use_first_pass debug
> sshd auth sufficient pam_unix_auth.so.1
>
> The errors I get in /var/adm/messages are:
>
> Mar 30 16:19:21 servername sshd[3245]: [ID 537602 auth.error]
> PAM-KRB5 (auth): krb5_verify_init_creds failed: Decrypt integrity check
> failed
When you authenticate by remotely-verified password instead of with a
ticket, the server does an extra Kerberos exchange to prevent a KDC
spoofing attack: it acquires a host ticket for the local host. So, the
problem might be with your host key / keytab. I would snoop the Kerberos
traffic to see what's going by.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list