Kerberos MIT SSH Solaris 9

Douglas E. Engert deengert at anl.gov
Fri Feb 8 12:21:41 EST 2008 


Andrea wrote:
> On 7 Feb, 20:37, "Douglas E. Engert" <deeng... at anl.gov> wrote:
>> Andrea wrote:
>>> Hi all,
>>> I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT
>>> Kerberos,
>>> I have the following setting:
>>> 1. Sun Solaris 5.9
>>> 2. MIT Kerberos KDC 1.6.3  ( I use just the kdc from the MIT Kerberos)
>>> 3. On Kerberos client side I used the one from Solaris from the
>>> following packet: SUNWkrbu
>>> 4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
>> I don't believe the Solars 9 sshd supports GSSAPI which is what you
>> are looking for. On Solaris 9 we use OpenSSH and the MIT Kerberos.
>> (/usr/bin/ldd /usr/lib/ssh/sshd does not show any Kerberos or gssapi libs.)
>>
> If i type ldd /usr/lib/ssh/sshd I obtain following result:
> 
> root at colcascms # ldd /usr/lib/ssh/sshd
>         libsocket.so.1 =>        /usr/lib/libsocket.so.1
>         libnsl.so.1 =>   /usr/lib/libnsl.so.1
>         libz.so.1 =>     /usr/lib/libz.so.1
>         libpam.so.1 =>   /usr/lib/libpam.so.1
>         libbsm.so.1 =>   /usr/lib/libbsm.so.1
>         libwrap.so.1 =>  /usr/sfw/lib/libwrap.so.1
>         libmd5.so.1 =>   /usr/lib/libmd5.so.1
>         libcmd.so.1 =>   /usr/lib/libcmd.so.1
>         libgss.so.1 =>   /usr/lib/libgss.so.1
>         libc.so.1 =>     /usr/lib/libc.so.1
>         libdl.so.1 =>    /usr/lib/libdl.so.1
>         libmp.so.2 =>    /usr/lib/libmp.so.2
>         libxfn.so.2 =>   /usr/lib/libxfn.so.2
>         /usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
>         /usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
> And then I investigate about how ssh call the library libgss (with
> truss) and seems that ssh through libgss tries to obtain the ticket
> credential, this is part of the truss command launched as follow truss
> -u mech_krb5,libgss:: ssh user at hostaname:
> 
> -> libgss:gss_acquire_cred(0xffbff660, 0x0, 0x0, 0x116938)
> open("/var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT open("/
> var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT
> 
> getuid()                                        = 0 [0]
> open("/tmp/krb5cc_0", O_RDONLY)                 Err#2 ENOENT
> open("/tmp/krb5cc_0", O_RDONLY)                 Err#2 ENOENT
> <- libgss:gss_acquire_cred() = 0x70000
> 
> It seems that this ssh supports in such a way GSS-API.

I stand corrected, it looks like it does support GSSAPI.

> 
> Any further suggestions??

As root run another server in the forground:

  /usr/lib/ssh/sshd -ddd -p 2222

The on a client, as a user (not root)  with tickets:

  /usr/bin/ssh -vvv -p 2222 hostname

> 
> Thanks for the precious suggesstions.
> 
> Bye
> 
>> But On Solairs 10, The Sun ssh/sshd does support GSSAPI, and works
>> well with GSSAPI using the Sun Kerberos.
>>
>>
>>
>>
>>
>>> This is my pam.conf:
>>> # PAM configuration
>>> #
>>> # Customized to try pam_unix, then pam_krb5
>>> #
>>> # Unless explicitly defined, all services use the modules
>>> # defined in the "other" section.
>>> #
>>> # Modules are defined with relative pathnames, i.e., they are
>>> # relative to /usr/lib/security/$ISA. Absolute path names, as
>>> # present in this file in previous releases are still acceptable.
>>> #
>>> # Authentication
>>> #
>>> # passwd command (explicit because of a different authentication
>>> module)
>>> #
>>> passwd  auth required           pam_passwd_auth.so.1
>>> #
>>> # Default definition for Authentication management
>>> # Used when service name is not explicitly mentioned for
>>> authentication
>>> #   management
>>> #
>>> other   auth requisite          pam_authtok_get.so.1
>>> other   auth sufficient         pam_unix_auth.so.1
>>> other   auth required           pam_krb5.so.1 use_first_pass debug
>>> #
>>> # Account
>>> #
>>> # cron service (explicit because of non-usage of pam_roles.so.1)
>>> #
>>> cron    account required        pam_projects.so.1
>>> cron    account required        pam_unix_account.so.1
>>> # See notes about pam_krb5 in "other" section below
>>> cron    account optional        pam_krb5.so.1 debug
>>> #
>>> # Default definition for Account management
>>> # Used when service name is not explicitly mentioned for account
>>> management
>>> #
>>> other   account requisite       pam_roles.so.1
>>> other   account required        pam_projects.so.1
>>> other   account required        pam_unix_account.so.1
>>> # According to the pam_krb5 man page, this checks for password
>>> expiration.
>>> # I'm not sure this does anything since I've flagged it as optional.
>>> # I'm not sure if I can make it required because of root.
>>> other   account optional        pam_krb5.so.1 debug
>>> #
>>> # Session
>>> #
>>> # Default definition for Session management
>>> # Used when service name is not explicitly mentioned for session
>>> management
>>> #
>>> other   session optional        pam_krb5.so.1 debug
>>> other   session required        pam_unix_session.so.1
>>> #
>>> # Password
>>> #
>>> # (Don't list pam_krb5 here, this section is only for root.  Regular
>>> # users must use the centralized department password changing
>>> mechanism.)
>>> #
>>> # Default definition for Password management
>>> # Used when service name is not explicitly mentioned for password
>>> management
>>> #
>>> other   password requisite      pam_authtok_get.so.1
>>> other   password requisite      pam_authtok_check.so.1
>>> other   password required       pam_authtok_store.so.1
>>> #
>>> I can ssh into the machine using the password from kerberos, when I
>>> let in I have the two tickets (TGT and TGS), but if I try to ssh on
>>> the same machine I have to retype the password, hence single sign on
>>> seems not working.
>>> Anyone can suggest me where am i wrong???
>>> Is the pam.conf correct?
>>> Does native Solaris ssh supports well gssapi delegation credentials??
>> It does on Solaris 10!
>>
>>
>>
>>> My goal is to obtain single sign on with as much as possible native
>>> solaris tool, with just an exception use MIT KERBEROS KDC SERVER!
>> We do that on Solaris 10 but using Windows AD as the KDC.
>>
>>
>>
>>> Thanks in advance!
>>> ________________________________________________
>>> Kerberos mailing list           Kerbe... at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> --
>>
>>   Douglas E. Engert  <DEEng... at anl.gov>
>>   Argonne National Laboratory
>>   9700 South Cass Avenue
>>   Argonne, Illinois  60439
>>   (630) 252-5444
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list