Kerberos, Sun SSH and KRB5CCNAME on Solaris (10)

Robert Sturrock rns at unimelb.edu.au
Mon Sep 17 04:08:59 EDT 2007


Hello.

I'm trying to configure a Solaris 10 server to allow kerberos-based
logins with Sun's SSHD.  I set "GSSAPIAuthentication yes" in
the sshd_config.  My pam.conf is displayed below.

When I don't have any credentials on my workstation and I login to the
server with ssh (typing my kerberos password along the way), everything
seems to work ok and I get:

    workstation$ ssh bellyup
    Password:  ********

    bellyup$ klist
    Ticket cache: FILE:/tmp/krb5cc_10846
    Default principal: rns at UNIMELB.EDU.AU

    Valid starting                Expires                Service principal
    09/17/07 17:58:33  09/18/07 17:58:33  krbtgt/UNIMELB.EDU.AU at UNIMELB.EDU.AU
	    renew until 09/17/07 17:58:33
    09/17/07 17:58:34  09/18/07 17:58:33  afs at UNIMELB.EDU.AU
	    renew until 09/17/07 17:58:33

    bellyup$ echo $KRB5CCNAME 
    FILE:/tmp/krb5cc_10846

When I *do* have credentials on my workstation, it still logs me in ok and
propagates my credentials, *but* $KRB5CCNAME is unset:

    workstation$ ssh bellyup

    bellyup$ klist
    Ticket cache: FILE:/tmp/krb5cc_10846
    Default principal: rns at UNIMELB.EDU.AU

    Valid starting                Expires                Service principal
    09/17/07 17:59:07  09/18/07 17:59:07  krbtgt/UNIMELB.EDU.AU at UNIMELB.EDU.AU
	    renew until 09/17/07 17:59:07
    09/17/07 17:59:08  09/18/07 17:59:07  afs at UNIMELB.EDU.AU
	    renew until 09/17/07 17:59:07
    bellyup$ echo $KRB5CCNAME

    bellyup$ 

Can someone give me an idea of what the problem might be here?

I _think_ this problem might have been the subject of discussion here:

    http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html

.. which says in part:

  > The sshd does not set the KRB5CCNAME correctly either. We do this
  > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
  > to get session based credentials if possible. Works from sshd-gssapi,
  > but not from dtlogin where we are stuck with user basede credentials.

Do I need to setup pam_krb5_cache?  If so, can someone please provide
a pointer to this as it does not seem to be a standard Solaris 10 PAM
module.

FYI, the ultimate objective here is to automatically get AFS tokens on
login, but this is not working in all circumstances because
pam-afs-session expects KRB5CCNAME to be set.

Regards,

Robert Sturrock.


---
#
#ident	"@(#)pam.conf	1.28	04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_cred.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_cred.so.1
rlogin	auth required		pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth binding		pam_krb5.so.1
krlogin	auth required		pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh	auth required		pam_unix_cred.so.1
krsh	auth binding		pam_krb5.so.1
krsh	auth required		pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth binding		pam_krb5.so.1
ktelnet	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_cred.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_cred.so.1
other	auth sufficient		pam_krb5.so.1
other	auth required		pam_unix_auth.so.1
other	auth optional		/usr/local/lib/security/pam_afs_session.so debug
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other	account required	pam_unix_account.so.1
other	account required	pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
other	session required        /usr/local/lib/security/pam_afs_session.so debug
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
other   password optional       pam_krb5.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
sshd	auth	sufficient	pam_krb5.so.1 try_first_pass
sshd	auth	required	pam_unix_auth.so.1



More information about the Kerberos mailing list