sshs ticket length issue

Edgecombe, Jason jwedgeco at uncc.edu
Tue Nov 6 16:28:37 EST 2007 

Hi Everyone,

I'm having ticket length issues with Kerberos.

I'm running OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005 on solaris 9
09/05HW with Kerberos 1.4 on the sshd box.

According to the KDC, I have a 3 day ticket length. When I login into
the console or telnet, I get my 3 day ticket. When I ssh into the
solaris machine without local tickets and use my password, then I get a
10 hour ticket and 10 hour AFS tokens. When I kinit, I get my 3-day
ticket & token. If I have a ticket on the local machine, then the ticket
forwarding works properly with the 3 day ticket length.

The main problem is that I don't get the proper ticket length when
ssh'ing into the solaris 9 machine using my password.

/etc/krb5.conf:
[appdefaults]
    kinit = {
    forwardable = true
    noaddresses = true
        }

[libdefaults]
    forwardable = true
    noaddresses = true
    ticket_lifetime = 7d
    default_realm = UNCC.EDU
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
...

Pertinent sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
PrintMotd no
Subsystem       sftp    /usr/local/ssh/libexec/sftp-server
X11Forwarding yes

UsePAM is not set and uses the default.

/etc/pam.conf snippet:
#login
login    auth    requisite   pam_authtok_get.so.1
login    auth    optional    pam_unix.so.1    use_first_pass
login    auth    optional    pam_krb5.so.1    use_first_pass
login    auth    optional    pam_aklog.so.1   ccache=/tmp/krb5cc_%u

# dtlogin
dtlogin    auth    requisite    pam_authtok_get.so.1
dtlogin    auth    optional     pam_unix.so.1    use_first_pass
dtlogin    auth    optional     pam_krb5.so.1    use_first_pass
dtlogin    auth    optional     pam_aklog.so.1   ccache=/tmp/krb5cc_%u

# dtsession
dtsession    auth    requisite    pam_authtok_get.so.1
dtsession    auth    optional     pam_unix.so.1    use_first_pass
dtsession    auth    optional     pam_krb5.so.1    use_first_pass

# ssh
sshd    auth    requisite    pam_authtok_get.so.1
sshd    auth    optional     pam_unix.so.1    use_first_pass
sshd    auth    optional     pam_krb5.so.1    use_first_pass
sshd    auth    optional     pam_aklog.so.1   ccache=/tmp/krb5cc_%u


Thanks,
Jason

Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514

More information about the Kerberos mailing list