Kerberos, Sun SSH and KRB5CCNAME on Solaris (10)

Douglas E. Engert deengert at anl.gov
Mon Sep 17 10:43:50 EDT 2007 


Robert Sturrock wrote:
> Hello.
> 
> I'm trying to configure a Solaris 10 server to allow kerberos-based
> logins with Sun's SSHD.  I set "GSSAPIAuthentication yes" in
> the sshd_config.  My pam.conf is displayed below.
> 

> I _think_ this problem might have been the subject of discussion here:
> 
>     http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html
> 

Yes, that would be me.

> .. which says in part:
> 
>   > The sshd does not set the KRB5CCNAME correctly either. We do this
>   > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
>   > to get session based credentials if possible. Works from sshd-gssapi,
>   > but not from dtlogin where we are stuck with user basede credentials.
> 
> Do I need to setup pam_krb5_cache?  If so, can someone please provide
> a pointer to this as it does not seem to be a standard Solaris 10 PAM
> module.

ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar There is a README,
and example pam.conf in there too.

> 
> FYI, the ultimate objective here is to automatically get AFS tokens on
> login, but this is not working in all circumstances because
> pam-afs-session expects KRB5CCNAME to be set.

That was our goal too. We are using pam_afs2. pam_afs_session
should also work.


> 
> Regards
> 
> Robert Sturrock.
> 
> 
> ---
> #
> #ident	"@(#)pam.conf	1.28	04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login	auth requisite		pam_authtok_get.so.1
> login	auth required		pam_dhkeys.so.1
> login	auth required		pam_unix_cred.so.1
> login	auth required		pam_unix_auth.so.1
> login	auth required		pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin	auth sufficient		pam_rhosts_auth.so.1
> rlogin	auth requisite		pam_authtok_get.so.1
> rlogin	auth required		pam_dhkeys.so.1
> rlogin	auth required		pam_unix_cred.so.1
> rlogin	auth required		pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin	auth required		pam_unix_cred.so.1
> krlogin	auth binding		pam_krb5.so.1
> krlogin	auth required		pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh	auth sufficient		pam_rhosts_auth.so.1
> rsh	auth required		pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh	auth required		pam_unix_cred.so.1
> krsh	auth binding		pam_krb5.so.1
> krsh	auth required		pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet	auth required		pam_unix_cred.so.1
> ktelnet	auth binding		pam_krb5.so.1
> ktelnet	auth required		pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp	auth requisite		pam_authtok_get.so.1
> ppp	auth required		pam_dhkeys.so.1
> ppp	auth required		pam_unix_cred.so.1
> ppp	auth required		pam_unix_auth.so.1
> ppp	auth required		pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other	auth requisite		pam_authtok_get.so.1
> other	auth required		pam_dhkeys.so.1
> other	auth required		pam_unix_cred.so.1
> other	auth sufficient		pam_krb5.so.1
> other	auth required		pam_unix_auth.so.1
> other	auth optional		/usr/local/lib/security/pam_afs_session.so debug
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd	auth required		pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron	account required	pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other	account requisite	pam_roles.so.1
> other	account required	pam_unix_account.so.1
> other	account required	pam_krb5.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other	session required	pam_unix_session.so.1
> other	session required        /usr/local/lib/security/pam_afs_session.so debug
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other	password required	pam_dhkeys.so.1
> other	password requisite	pam_authtok_get.so.1
> other	password requisite	pam_authtok_check.so.1
> other	password required	pam_authtok_store.so.1
> other   password optional       pam_krb5.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> sshd	auth	sufficient	pam_krb5.so.1 try_first_pass
> sshd	auth	required	pam_unix_auth.so.1
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list