Kerberos MIT SSH Solaris 9

Douglas E. Engert deengert at anl.gov
Thu Feb 7 14:37:32 EST 2008



Andrea wrote:
> Hi all,
> 
> I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT
> Kerberos,
> 
> I have the following setting:
> 
> 1. Sun Solaris 5.9
> 
> 2. MIT Kerberos KDC 1.6.3  ( I use just the kdc from the MIT Kerberos)
> 
> 3. On Kerberos client side I used the one from Solaris from the
> following packet: SUNWkrbu
> 
> 4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f


I don't believe the Solars 9 sshd supports GSSAPI which is what you
are looking for. On Solaris 9 we use OpenSSH and the MIT Kerberos.
(/usr/bin/ldd /usr/lib/ssh/sshd does not show any Kerberos or gssapi libs.)

But On Solairs 10, The Sun ssh/sshd does support GSSAPI, and works
well with GSSAPI using the Sun Kerberos.


> 
> This is my pam.conf:
> # PAM configuration
> #
> # Customized to try pam_unix, then pam_krb5
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication
> #
> # passwd command (explicit because of a different authentication
> module)
> #
> passwd  auth required           pam_passwd_auth.so.1
> #
> # Default definition for Authentication management
> # Used when service name is not explicitly mentioned for
> authentication
> #   management
> #
> other   auth requisite          pam_authtok_get.so.1
> other   auth sufficient         pam_unix_auth.so.1
> other   auth required           pam_krb5.so.1 use_first_pass debug
> #
> # Account
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron    account required        pam_projects.so.1
> cron    account required        pam_unix_account.so.1
> # See notes about pam_krb5 in "other" section below
> cron    account optional        pam_krb5.so.1 debug
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account
> management
> #
> other   account requisite       pam_roles.so.1
> other   account required        pam_projects.so.1
> other   account required        pam_unix_account.so.1
> # According to the pam_krb5 man page, this checks for password
> expiration.
> # I'm not sure this does anything since I've flagged it as optional.
> # I'm not sure if I can make it required because of root.
> other   account optional        pam_krb5.so.1 debug
> #
> # Session
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session
> management
> #
> other   session optional        pam_krb5.so.1 debug
> other   session required        pam_unix_session.so.1
> #
> # Password
> #
> # (Don't list pam_krb5 here, this section is only for root.  Regular
> # users must use the centralized department password changing
> mechanism.)
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password
> management
> #
> other   password requisite      pam_authtok_get.so.1
> other   password requisite      pam_authtok_check.so.1
> other   password required       pam_authtok_store.so.1
> #
> 
> I can ssh into the machine using the password from kerberos, when I
> let in I have the two tickets (TGT and TGS), but if I try to ssh on
> the same machine I have to retype the password, hence single sign on
> seems not working.
> 
> Anyone can suggest me where am i wrong???
> Is the pam.conf correct?
> Does native Solaris ssh supports well gssapi delegation credentials??

It does on Solaris 10!

> 
> My goal is to obtain single sign on with as much as possible native
> solaris tool, with just an exception use MIT KERBEROS KDC SERVER!

We do that on Solaris 10 but using Windows AD as the KDC.

> 
> Thanks in advance!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list