Solaris 9 latest OEM SSH + pam_krb5.so.1
Douglas E. Engert
deengert at anl.gov
Wed Jan 10 14:13:14 EST 2007
Did you add the session and account entries to the pam.conf
for sshd-kdbint? Pam will use the other sesison and account instead,
and it most likely does not have pam_krb5 listed.
Jeff Blaine wrote:
> Douglas E. Engert wrote:
>> Jeff Blaine wrote:
>>> Does anyone have a guess as to what I am doing wrong?
>>>
>>> MIT Kerberos 1.5.1
>> Where is MIT Kerberos 1.5.1 used in this?
>
> The KDC.
>
>> You say you are using the Solaris sshd, and since the
>> pam.conf file does not give a path for the pam_krb5
>> it would use the Solaris version in /usr/lib/secrity/pam_krb5.so
>> which would use the Solaris version of Kerberos.
>
> That's the only version on disk. I have no other pam_krb5.
>
>> I assume you are trying to use a pam_krb5 which will use
>> the MIT Kerberos 1.5.1? Note the the e-types in the request
>> below are (3 1) which are both DES.
>
> That's a separate issue I don't want to address just yet.
>
>>> Solaris 9 OEM SSH (latest patch cluster) with
>>> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
>>> as such (which clearly gets hit):
>>>
>>> # Start pam.conf snippet
>>> sshd-kbdint auth requisite pam_authtok_get.so.1
>>> sshd-kbdint auth required pam_dhkeys.so.1
>>> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
>>> sshd-kbdint auth required pam_unix_auth.so.1
>>> # End of pam.conf snippet
>>>
>>> adm # ssh -vvv -l jblaine test.foo.com
>>> ...
>>> debug1: Next authentication method: keyboard-interactive
>>> debug2: userauth_kbdint
>>> debug2: we sent a keyboard-interactive packet, wait for reply
>>> debug2: input_userauth_info_req
>>> debug2: input_userauth_info_req: num_prompts 1
>>> Password:
>>> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
>>> Connection closed by 192.168.168.100
>>> debug1: Calling cleanup 0x47d2c(0x0)
>>> adm #
>>>
>>> debug.log:
>>>
>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 655841 auth.debug]
>>> PAM-KRB5 (auth): pam_sm_authenticate flags=0
>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 549540 auth.debug]
>>> PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine'
>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 179272 auth.debug]
>>> PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password
>>> returns: SUCCESS
>>>
>>> krb5kdc.log:
>>>
>>> Jan 09 20:04:13 test.foo.com krb5kdc[445](info): AS_REQ (2 etypes
>>> {3 1}) 192.168.168.100: ISSUE: authtime 1168391053, etypes {rep=3
>>> tkt=16 ses=1}, jblaine at JBTEST for krbtgt/JBTEST at JBTEST
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list