Solaris 9 latest OEM SSH + pam_krb5.so.1

Jeff Blaine jblaine at kickflop.net
Wed Jan 10 15:34:20 EST 2007


> Do you have a sshd-kbdint session pam_unix.so.1
> The other entries are only used if there are no entries
> for service.

Here's everything (so, no):

sshd-kbdint     auth requisite          pam_authtok_get.so.1
sshd-kbdint     auth required           pam_dhkeys.so.1
sshd-kbdint     auth sufficient         pam_krb5.so.1 debug try_first_pass
sshd-kbdint     auth required           pam_unix_auth.so.1
sshd-kbdint     account optional        pam_krb5.so.1 debug
sshd-kbdint     session optional        pam_krb5.so.1 debug
sshd-kbdint     password optional       pam_krb5.so.1 debug

Adding:

     sshd-kbdint    session required   pam_unix.so.1

Resulting in:

sshd-kbdint     auth requisite          pam_authtok_get.so.1
sshd-kbdint     auth required           pam_dhkeys.so.1
sshd-kbdint     auth sufficient         pam_krb5.so.1 debug try_first_pass
sshd-kbdint     auth required           pam_unix_auth.so.1
#
sshd-kbdint     account optional        pam_krb5.so.1 debug
sshd-kbdint     session required        pam_unix.so.1
sshd-kbdint     session optional        pam_krb5.so.1 debug
sshd-kbdint     password optional       pam_krb5.so.1 debug

Gives me the same SSH results and the same info in my logs
as before.

> See the man page on pam_krb5. It shows for session,
> pam_krb5 and pam_unix.
> 
> 
> (We use the OpenSSH and MIT Kerberos and older heavily modified
> pam_krb5 on Solaris 9 but use the Solaris sshd, pam_krb5 and
> Kerberos on Solaris 10.)
> 
>>
>> Douglas E. Engert wrote:
>>> Did you add the session and account entries to the pam.conf
>>> for sshd-kdbint? Pam will use the other sesison and account instead,
>>> and it most likely does not have pam_krb5 listed.
>>>
>>> Jeff Blaine wrote:
>>>> Douglas E. Engert wrote:
>>>>> Jeff Blaine wrote:
>>>>>> Does anyone have a guess as to what I am doing wrong?
>>>>>>
>>>>>> MIT Kerberos 1.5.1
>>>>> Where is MIT Kerberos 1.5.1 used in this?
>>>> The KDC.
>>>>
>>>>> You say you are using the Solaris sshd, and since the
>>>>> pam.conf file does not give a path for the pam_krb5
>>>>> it would use the Solaris version in /usr/lib/secrity/pam_krb5.so
>>>>> which would use the Solaris version of Kerberos.
>>>> That's the only version on disk.  I have no other pam_krb5.
>>>>
>>>>> I assume you are trying to use a pam_krb5 which will use
>>>>> the MIT Kerberos 1.5.1?  Note the the e-types in the request
>>>>> below are (3 1) which are both DES.
>>>> That's a separate issue I don't want to address just yet.
>>>>
>>>>>> Solaris 9 OEM SSH (latest patch cluster) with
>>>>>> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
>>>>>> as such (which clearly gets hit):
>>>>>>
>>>>>> # Start pam.conf snippet
>>>>>> sshd-kbdint   auth requisite    pam_authtok_get.so.1
>>>>>> sshd-kbdint   auth required     pam_dhkeys.so.1
>>>>>> sshd-kbdint   auth sufficient   pam_krb5.so.1 debug try_first_pass
>>>>>> sshd-kbdint   auth required     pam_unix_auth.so.1
>>>>>> # End of pam.conf snippet
>>>>>>
>>>>>> adm # ssh -vvv -l jblaine test.foo.com
>>>>>> ...
>>>>>> debug1: Next authentication method: keyboard-interactive
>>>>>> debug2: userauth_kbdint
>>>>>> debug2: we sent a keyboard-interactive packet, wait for reply
>>>>>> debug2: input_userauth_info_req
>>>>>> debug2: input_userauth_info_req: num_prompts 1
>>>>>> Password:
>>>>>> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
>>>>>> Connection closed by 192.168.168.100
>>>>>> debug1: Calling cleanup 0x47d2c(0x0)
>>>>>> adm #
>>>>>>
>>>>>> debug.log:
>>>>>>
>>>>>> Jan  9 20:04:13 test.foo.com sshd[462]: [ID 655841 auth.debug]
>>>>>> PAM-KRB5 (auth): pam_sm_authenticate flags=0
>>>>>> Jan  9 20:04:13 test.foo.com sshd[462]: [ID 549540 auth.debug]
>>>>>> PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine'
>>>>>> Jan  9 20:04:13 test.foo.com sshd[462]: [ID 179272 auth.debug]
>>>>>> PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password 
>>>>>> returns: SUCCESS
>>>>>>
>>>>>> krb5kdc.log:
>>>>>>
>>>>>> Jan 09 20:04:13 test.foo.com krb5kdc[445](info): AS_REQ (2 etypes
>>>>>> {3 1}) 192.168.168.100: ISSUE: authtime 1168391053, etypes {rep=3
>>>>>> tkt=16 ses=1}, jblaine at JBTEST for krbtgt/JBTEST at JBTEST
>>>>>> ________________________________________________
>>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>
>>>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 



More information about the Kerberos mailing list