Solaris 9 latest OEM SSH + pam_krb5.so.1

Jeff Blaine jblaine at kickflop.net
Wed Jan 10 16:41:51 EST 2007


I just want to cap this thread off properly for anyone
stumbling across this later.

No solution was found.

Truss shows the following:

...reading krb5.keytab from FD 7... then...
7054:   lseek(7, 268, SEEK_SET)                         = 268
7054:   lseek(7, 0, SEEK_CUR)                           = 268
7054:   llseek(7, 0, SEEK_CUR)                          = 268
7054:   read(7, 0xFF13FCE4, 1)                          = 0
7054:   llseek(7, 0, SEEK_CUR)                          = 268
7054:   fcntl(7, F_SETLKW, 0xFFBFA794)                  = 0
7054:   close(7)                                        = 0
7054:       Incurred fault #5, FLTACCESS  %pc = 0xFEF60838
7054:         siginfo: SIGBUS BUS_ADRALN addr=0x00000017
7054:       Received signal #10, SIGBUS [default]
7054:         siginfo: SIGBUS BUS_ADRALN addr=0x00000017
505:        Received signal #18, SIGCLD, in poll() [caught]
505:          siginfo: SIGCLD CLD_DUMPED pid=7054 status=0x000A

Russ Allbery wrote:
> Jeff Blaine <jblaine at kickflop.net> writes:
> 
>> Does anyone have a guess as to what I am doing wrong?
> 
>> MIT Kerberos 1.5.1
> 
>> Solaris 9 OEM SSH (latest patch cluster) with
>> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
>> as such (which clearly gets hit):
> 
>> # Start pam.conf snippet
>> sshd-kbdint   auth requisite    pam_authtok_get.so.1
>> sshd-kbdint   auth required     pam_dhkeys.so.1
>> sshd-kbdint   auth sufficient   pam_krb5.so.1 debug try_first_pass
>> sshd-kbdint   auth required     pam_unix_auth.so.1
>> # End of pam.conf snippet
> 
>> adm # ssh -vvv -l jblaine test.foo.com
>> ...
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
>> Connection closed by 192.168.168.100
>> debug1: Calling cleanup 0x47d2c(0x0)
>> adm #
> 
> This may be obvious, but does the account jblaine exist on the system?  It
> has to be provided by an nsswitch provider, or sshd will always reject
> logins to that account regardless of whether it passes a PAM
> authentication check.
> 
> Also, note that unless the account exists in /etc/shadow (even if you're
> not using local passwords), the Unix PAM account module will reject the
> login at least in Solaris 8.
> 



More information about the Kerberos mailing list