Kerberos MIT SSH Solaris 9
Douglas E. Engert
deengert at anl.gov
Fri Feb 8 12:21:41 EST 2008
Andrea wrote:
> On 7 Feb, 20:37, "Douglas E. Engert" <deeng... at anl.gov> wrote:
>> Andrea wrote:
>>> Hi all,
>>> I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT
>>> Kerberos,
>>> I have the following setting:
>>> 1. Sun Solaris 5.9
>>> 2. MIT Kerberos KDC 1.6.3 ( I use just the kdc from the MIT Kerberos)
>>> 3. On Kerberos client side I used the one from Solaris from the
>>> following packet: SUNWkrbu
>>> 4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
>> I don't believe the Solars 9 sshd supports GSSAPI which is what you
>> are looking for. On Solaris 9 we use OpenSSH and the MIT Kerberos.
>> (/usr/bin/ldd /usr/lib/ssh/sshd does not show any Kerberos or gssapi libs.)
>>
> If i type ldd /usr/lib/ssh/sshd I obtain following result:
>
> root at colcascms # ldd /usr/lib/ssh/sshd
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libz.so.1 => /usr/lib/libz.so.1
> libpam.so.1 => /usr/lib/libpam.so.1
> libbsm.so.1 => /usr/lib/libbsm.so.1
> libwrap.so.1 => /usr/sfw/lib/libwrap.so.1
> libmd5.so.1 => /usr/lib/libmd5.so.1
> libcmd.so.1 => /usr/lib/libcmd.so.1
> libgss.so.1 => /usr/lib/libgss.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> libxfn.so.2 => /usr/lib/libxfn.so.2
> /usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
> /usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
> And then I investigate about how ssh call the library libgss (with
> truss) and seems that ssh through libgss tries to obtain the ticket
> credential, this is part of the truss command launched as follow truss
> -u mech_krb5,libgss:: ssh user at hostaname:
>
> -> libgss:gss_acquire_cred(0xffbff660, 0x0, 0x0, 0x116938)
> open("/var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT open("/
> var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT
>
> getuid() = 0 [0]
> open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT
> open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT
> <- libgss:gss_acquire_cred() = 0x70000
>
> It seems that this ssh supports in such a way GSS-API.
I stand corrected, it looks like it does support GSSAPI.
>
> Any further suggestions??
As root run another server in the forground:
/usr/lib/ssh/sshd -ddd -p 2222
The on a client, as a user (not root) with tickets:
/usr/bin/ssh -vvv -p 2222 hostname
>
> Thanks for the precious suggesstions.
>
> Bye
>
>> But On Solairs 10, The Sun ssh/sshd does support GSSAPI, and works
>> well with GSSAPI using the Sun Kerberos.
>>
>>
>>
>>
>>
>>> This is my pam.conf:
>>> # PAM configuration
>>> #
>>> # Customized to try pam_unix, then pam_krb5
>>> #
>>> # Unless explicitly defined, all services use the modules
>>> # defined in the "other" section.
>>> #
>>> # Modules are defined with relative pathnames, i.e., they are
>>> # relative to /usr/lib/security/$ISA. Absolute path names, as
>>> # present in this file in previous releases are still acceptable.
>>> #
>>> # Authentication
>>> #
>>> # passwd command (explicit because of a different authentication
>>> module)
>>> #
>>> passwd auth required pam_passwd_auth.so.1
>>> #
>>> # Default definition for Authentication management
>>> # Used when service name is not explicitly mentioned for
>>> authentication
>>> # management
>>> #
>>> other auth requisite pam_authtok_get.so.1
>>> other auth sufficient pam_unix_auth.so.1
>>> other auth required pam_krb5.so.1 use_first_pass debug
>>> #
>>> # Account
>>> #
>>> # cron service (explicit because of non-usage of pam_roles.so.1)
>>> #
>>> cron account required pam_projects.so.1
>>> cron account required pam_unix_account.so.1
>>> # See notes about pam_krb5 in "other" section below
>>> cron account optional pam_krb5.so.1 debug
>>> #
>>> # Default definition for Account management
>>> # Used when service name is not explicitly mentioned for account
>>> management
>>> #
>>> other account requisite pam_roles.so.1
>>> other account required pam_projects.so.1
>>> other account required pam_unix_account.so.1
>>> # According to the pam_krb5 man page, this checks for password
>>> expiration.
>>> # I'm not sure this does anything since I've flagged it as optional.
>>> # I'm not sure if I can make it required because of root.
>>> other account optional pam_krb5.so.1 debug
>>> #
>>> # Session
>>> #
>>> # Default definition for Session management
>>> # Used when service name is not explicitly mentioned for session
>>> management
>>> #
>>> other session optional pam_krb5.so.1 debug
>>> other session required pam_unix_session.so.1
>>> #
>>> # Password
>>> #
>>> # (Don't list pam_krb5 here, this section is only for root. Regular
>>> # users must use the centralized department password changing
>>> mechanism.)
>>> #
>>> # Default definition for Password management
>>> # Used when service name is not explicitly mentioned for password
>>> management
>>> #
>>> other password requisite pam_authtok_get.so.1
>>> other password requisite pam_authtok_check.so.1
>>> other password required pam_authtok_store.so.1
>>> #
>>> I can ssh into the machine using the password from kerberos, when I
>>> let in I have the two tickets (TGT and TGS), but if I try to ssh on
>>> the same machine I have to retype the password, hence single sign on
>>> seems not working.
>>> Anyone can suggest me where am i wrong???
>>> Is the pam.conf correct?
>>> Does native Solaris ssh supports well gssapi delegation credentials??
>> It does on Solaris 10!
>>
>>
>>
>>> My goal is to obtain single sign on with as much as possible native
>>> solaris tool, with just an exception use MIT KERBEROS KDC SERVER!
>> We do that on Solaris 10 but using Windows AD as the KDC.
>>
>>
>>
>>> Thanks in advance!
>>> ________________________________________________
>>> Kerberos mailing list Kerbe... at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> --
>>
>> Douglas E. Engert <DEEng... at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list