Kerberos, Sun SSH and KRB5CCNAME on Solaris (10)
Douglas E. Engert
deengert at anl.gov
Mon Sep 17 10:43:50 EDT 2007
Robert Sturrock wrote:
> Hello.
>
> I'm trying to configure a Solaris 10 server to allow kerberos-based
> logins with Sun's SSHD. I set "GSSAPIAuthentication yes" in
> the sshd_config. My pam.conf is displayed below.
>
> I _think_ this problem might have been the subject of discussion here:
>
> http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html
>
Yes, that would be me.
> .. which says in part:
>
> > The sshd does not set the KRB5CCNAME correctly either. We do this
> > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
> > to get session based credentials if possible. Works from sshd-gssapi,
> > but not from dtlogin where we are stuck with user basede credentials.
>
> Do I need to setup pam_krb5_cache? If so, can someone please provide
> a pointer to this as it does not seem to be a standard Solaris 10 PAM
> module.
ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar There is a README,
and example pam.conf in there too.
>
> FYI, the ultimate objective here is to automatically get AFS tokens on
> login, but this is not working in all circumstances because
> pam-afs-session expects KRB5CCNAME to be set.
That was our goal too. We are using pam_afs2. pam_afs_session
should also work.
>
> Regards
>
> Robert Sturrock.
>
>
> ---
> #
> #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth binding pam_krb5.so.1
> krsh auth required pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_krb5.so.1
> other auth required pam_unix_auth.so.1
> other auth optional /usr/local/lib/security/pam_afs_session.so debug
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account required pam_krb5.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> other session required /usr/local/lib/security/pam_afs_session.so debug
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> other password optional pam_krb5.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> sshd auth sufficient pam_krb5.so.1 try_first_pass
> sshd auth required pam_unix_auth.so.1
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list