Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Jeff Blaine jblaine at kickflop.net
Tue May 16 14:23:16 EDT 2006 

Has anyone gotten Solaris 9's sshd and pam_krb5.so
to work?

I can't seem to.  I am told:

     "authentication failed:  Bad encryption type"

     May 16 14:19:33 noodle.foo.com sshd[676]: [ID 537602 auth.error] 
PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type

However, MIT Kerberos telnetd and CVS+GSSAPI work fine
and get me a TGT, so I believe there is something funky
going on with pam_krb5 and sshd.

More PAM debug info is at the very bottom of this message.
Any help would be appreciated.

====================================================================
SunOS noodle.foo.com 5.9 Generic_118558-21 sun4u sparc SUNW,Ultra-60

etc > pwd
/etc
etc > ls -ld krb* kdc.conf
drwxr-xr-x   2 root     sys          512 May 16 13:43 krb5/
-rw-r--r--   1 root     other        308 Feb 11 10:30 krb5.conf
-rw-------   1 root     other        522 May 12 17:10 krb5.keytab
-rw-r--r--   1 root     other        374 Feb 22 14:50 kdc.conf
etc > cd krb5
krb5 > ls -l
total 6
lrwxrwxrwx   1 root     other         11 Feb 15 10:06 kdc.conf -> 
../kdc.conf
lrwxrwxrwx   1 root     other         12 Feb 15 10:06 krb5.conf -> 
../krb5.conf
lrwxrwxrwx   1 root     other         16 May 16 13:38 krb5.keytab -> 
../krb5.keytab
krb5 >

pam.conf lines:

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_krb5.so.1
login   auth required           pam_unix_auth.so.1
#
sshd    auth requisite          pam_authtok_get.so.1
sshd    auth required           pam_dhkeys.so.1
sshd    auth sufficient         pam_krb5.so.1
sshd    auth required           pam_unix_auth.so.1
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1

bash-2.05# /export/home/krb5/sbin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
    1    4                host/192.168.168.3 at JBTEST
    2    4                host/192.168.168.3 at JBTEST
    3    4             host/noodle.foo.com at JBTEST
    4    4             host/noodle.foo.com at JBTEST

====================================================================

pam.conf syslog info via 'debug' module option:

May 16 14:21:39 noodle.foo.com sshd[696]: [ID 655841 auth.debug] 
PAM-KRB5 (auth): pam_sm_authenticate flags=1
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 954327 auth.debug] 
PAM-KRB5 (auth): prompting for password
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 549540 auth.debug] 
PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine'
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 179272 auth.debug] 
PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password 
returns: Decrypt integrity check failed
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 399723 auth.debug] 
PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 833335 auth.debug] 
PAM-KRB5 (auth): attempt_krb5_auth returning 9
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 914654 auth.debug] 
PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =9, env 
='KRB5CCNAME=FILE:/tmp/krb5cc_26560', age = 0, status = 9
May 16 14:21:39 noodle.foo.com sshd[696]: [ID 525286 auth.debug] 
PAM-KRB5 (auth): end: Authentication failed
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 655841 auth.debug] 
PAM-KRB5 (auth): pam_sm_authenticate flags=1
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 954327 auth.debug] 
PAM-KRB5 (auth): prompting for password
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 549540 auth.debug] 
PAM-KRB5 (auh): attempt_krb5_auth: start: user='jblaine'
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 179272 auth.debug] 
PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password 
returns: SUCCESS
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 537602 auth.error] 
PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 399723 auth.debug] 
PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 833335 auth.debug] 
PAM-KRB5 (auth): attempt_krb5_auth returning 9
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 914654 auth.debug] 
PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =9, env 
='KRB5CCNAME=FILE:/tmp/krb5cc_26560', age = 0, status = 9
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 525286 auth.debug] 
PAM-KRB5 (auth): end: Authentication failed
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 712902 auth.debug] 
PAM-KRB5 (acct): end: Success
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 800047 auth.info] Accepted 
password for jblaine from 192.168.168.1 port 3670 ssh2
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 629253 auth.debug] 
PAM-KRB5 (setcred): start: nowarn = 0, flags = 0x1
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 586274 auth.debug] 
PAM-KRB5 (setcred): kmd auth_status: Authentication failed
May 16 14:21:42 noodle.foo.com sshd[696]: [ID 115609 auth.debug] 
PAM-KRB5 (setcred): unable to setcreds, not authenticated!

More information about the Kerberos mailing list