Solaris 9 latest OEM SSH + pam_krb5.so.1
Jeff Blaine
jblaine at kickflop.net
Wed Jan 10 14:23:43 EST 2007
Yup:
sshd-kbdint account optional pam_krb5.so.1 debug
sshd-kbdint session optional pam_krb5.so.1 debug
sshd-kbdint password optional pam_krb5.so.1 debug
Douglas E. Engert wrote:
> Did you add the session and account entries to the pam.conf
> for sshd-kdbint? Pam will use the other sesison and account instead,
> and it most likely does not have pam_krb5 listed.
>
> Jeff Blaine wrote:
>> Douglas E. Engert wrote:
>>> Jeff Blaine wrote:
>>>> Does anyone have a guess as to what I am doing wrong?
>>>>
>>>> MIT Kerberos 1.5.1
>>> Where is MIT Kerberos 1.5.1 used in this?
>>
>> The KDC.
>>
>>> You say you are using the Solaris sshd, and since the
>>> pam.conf file does not give a path for the pam_krb5
>>> it would use the Solaris version in /usr/lib/secrity/pam_krb5.so
>>> which would use the Solaris version of Kerberos.
>>
>> That's the only version on disk. I have no other pam_krb5.
>>
>>> I assume you are trying to use a pam_krb5 which will use
>>> the MIT Kerberos 1.5.1? Note the the e-types in the request
>>> below are (3 1) which are both DES.
>>
>> That's a separate issue I don't want to address just yet.
>>
>>>> Solaris 9 OEM SSH (latest patch cluster) with
>>>> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
>>>> as such (which clearly gets hit):
>>>>
>>>> # Start pam.conf snippet
>>>> sshd-kbdint auth requisite pam_authtok_get.so.1
>>>> sshd-kbdint auth required pam_dhkeys.so.1
>>>> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
>>>> sshd-kbdint auth required pam_unix_auth.so.1
>>>> # End of pam.conf snippet
>>>>
>>>> adm # ssh -vvv -l jblaine test.foo.com
>>>> ...
>>>> debug1: Next authentication method: keyboard-interactive
>>>> debug2: userauth_kbdint
>>>> debug2: we sent a keyboard-interactive packet, wait for reply
>>>> debug2: input_userauth_info_req
>>>> debug2: input_userauth_info_req: num_prompts 1
>>>> Password:
>>>> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
>>>> Connection closed by 192.168.168.100
>>>> debug1: Calling cleanup 0x47d2c(0x0)
>>>> adm #
>>>>
>>>> debug.log:
>>>>
>>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 655841 auth.debug]
>>>> PAM-KRB5 (auth): pam_sm_authenticate flags=0
>>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 549540 auth.debug]
>>>> PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine'
>>>> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 179272 auth.debug]
>>>> PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password
>>>> returns: SUCCESS
>>>>
>>>> krb5kdc.log:
>>>>
>>>> Jan 09 20:04:13 test.foo.com krb5kdc[445](info): AS_REQ (2 etypes
>>>> {3 1}) 192.168.168.100: ISSUE: authtime 1168391053, etypes {rep=3
>>>> tkt=16 ses=1}, jblaine at JBTEST for krbtgt/JBTEST at JBTEST
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
More information about the Kerberos
mailing list