Kerberos, Sun SSH and KRB5CCNAME on Solaris (10)
Robert Sturrock
rns at unimelb.edu.au
Mon Sep 17 04:08:59 EDT 2007
Hello.
I'm trying to configure a Solaris 10 server to allow kerberos-based
logins with Sun's SSHD. I set "GSSAPIAuthentication yes" in
the sshd_config. My pam.conf is displayed below.
When I don't have any credentials on my workstation and I login to the
server with ssh (typing my kerberos password along the way), everything
seems to work ok and I get:
workstation$ ssh bellyup
Password: ********
bellyup$ klist
Ticket cache: FILE:/tmp/krb5cc_10846
Default principal: rns at UNIMELB.EDU.AU
Valid starting Expires Service principal
09/17/07 17:58:33 09/18/07 17:58:33 krbtgt/UNIMELB.EDU.AU at UNIMELB.EDU.AU
renew until 09/17/07 17:58:33
09/17/07 17:58:34 09/18/07 17:58:33 afs at UNIMELB.EDU.AU
renew until 09/17/07 17:58:33
bellyup$ echo $KRB5CCNAME
FILE:/tmp/krb5cc_10846
When I *do* have credentials on my workstation, it still logs me in ok and
propagates my credentials, *but* $KRB5CCNAME is unset:
workstation$ ssh bellyup
bellyup$ klist
Ticket cache: FILE:/tmp/krb5cc_10846
Default principal: rns at UNIMELB.EDU.AU
Valid starting Expires Service principal
09/17/07 17:59:07 09/18/07 17:59:07 krbtgt/UNIMELB.EDU.AU at UNIMELB.EDU.AU
renew until 09/17/07 17:59:07
09/17/07 17:59:08 09/18/07 17:59:07 afs at UNIMELB.EDU.AU
renew until 09/17/07 17:59:07
bellyup$ echo $KRB5CCNAME
bellyup$
Can someone give me an idea of what the problem might be here?
I _think_ this problem might have been the subject of discussion here:
http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html
.. which says in part:
> The sshd does not set the KRB5CCNAME correctly either. We do this
> with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
> to get session based credentials if possible. Works from sshd-gssapi,
> but not from dtlogin where we are stuck with user basede credentials.
Do I need to setup pam_krb5_cache? If so, can someone please provide
a pointer to this as it does not seem to be a standard Solaris 10 PAM
module.
FYI, the ultimate objective here is to automatically get AFS tokens on
login, but this is not working in all circumstances because
pam-afs-session expects KRB5CCNAME to be set.
Regards,
Robert Sturrock.
---
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other auth optional /usr/local/lib/security/pam_afs_session.so debug
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
other session required /usr/local/lib/security/pam_afs_session.so debug
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
other password optional pam_krb5.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
sshd auth sufficient pam_krb5.so.1 try_first_pass
sshd auth required pam_unix_auth.so.1
More information about the Kerberos
mailing list