Solaris 9 latest OEM SSH + pam_krb5.so.1
Jeff Blaine
jblaine at kickflop.net
Wed Jan 10 11:47:30 EST 2007
Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> Does anyone have a guess as to what I am doing wrong?
>>
>> MIT Kerberos 1.5.1
>
> Where is MIT Kerberos 1.5.1 used in this?
The KDC.
> You say you are using the Solaris sshd, and since the
> pam.conf file does not give a path for the pam_krb5
> it would use the Solaris version in /usr/lib/secrity/pam_krb5.so
> which would use the Solaris version of Kerberos.
That's the only version on disk. I have no other pam_krb5.
> I assume you are trying to use a pam_krb5 which will use
> the MIT Kerberos 1.5.1? Note the the e-types in the request
> below are (3 1) which are both DES.
That's a separate issue I don't want to address just yet.
>>
>> Solaris 9 OEM SSH (latest patch cluster) with
>> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
>> as such (which clearly gets hit):
>>
>> # Start pam.conf snippet
>> sshd-kbdint auth requisite pam_authtok_get.so.1
>> sshd-kbdint auth required pam_dhkeys.so.1
>> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
>> sshd-kbdint auth required pam_unix_auth.so.1
>> # End of pam.conf snippet
>>
>> adm # ssh -vvv -l jblaine test.foo.com
>> ...
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
>> Connection closed by 192.168.168.100
>> debug1: Calling cleanup 0x47d2c(0x0)
>> adm #
>>
>> debug.log:
>>
>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 655841 auth.debug]
>> PAM-KRB5 (auth): pam_sm_authenticate flags=0
>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 549540 auth.debug]
>> PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine'
>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 179272 auth.debug]
>> PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password
>> returns: SUCCESS
>>
>> krb5kdc.log:
>>
>> Jan 09 20:04:13 test.foo.com krb5kdc[445](info): AS_REQ (2 etypes
>> {3 1}) 192.168.168.100: ISSUE: authtime 1168391053, etypes {rep=3
>> tkt=16 ses=1}, jblaine at JBTEST for krbtgt/JBTEST at JBTEST
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
More information about the Kerberos
mailing list