Solaris 9 latest OEM SSH + pam_krb5.so.1
Russ Allbery
rra at stanford.edu
Wed Jan 10 15:24:01 EST 2007
Jeff Blaine <jblaine at kickflop.net> writes:
> Does anyone have a guess as to what I am doing wrong?
> MIT Kerberos 1.5.1
> Solaris 9 OEM SSH (latest patch cluster) with
> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
> as such (which clearly gets hit):
> # Start pam.conf snippet
> sshd-kbdint auth requisite pam_authtok_get.so.1
> sshd-kbdint auth required pam_dhkeys.so.1
> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
> sshd-kbdint auth required pam_unix_auth.so.1
> # End of pam.conf snippet
> adm # ssh -vvv -l jblaine test.foo.com
> ...
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
> Connection closed by 192.168.168.100
> debug1: Calling cleanup 0x47d2c(0x0)
> adm #
This may be obvious, but does the account jblaine exist on the system? It
has to be provided by an nsswitch provider, or sshd will always reject
logins to that account regardless of whether it passes a PAM
authentication check.
Also, note that unless the account exists in /etc/shadow (even if you're
not using local passwords), the Unix PAM account module will reject the
login at least in Solaris 8.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list