Graham Freeman <[EMAIL PROTECTED]> writes:
> Folks,
>
> Sorry about my last post, which was MIME-encoded. Here's a repost with
> some updated information.
>
> First, let me start by saying that I have only a working knowledge of
> Solaris, Kerberos, and PAM. I'm not a programmer, but I (mostly) know how
> these things work, what they do, and how to use them.
>
> I hope this is the right forum for these questions. cc:ing me on your
> reply would be appreciated, although I'll make an effort to check back on
> this forum.
>
> That said, I'm having trouble with two different flavours of pam_krb5 on
> Solaris 8. I hope you can help.
>
>
> ...With the stock Solaris 8 pam_krb5...
>
> With the stock Solaris 8 PAM, things work better than with the fcusack
> PAM.
>
> ***Using telnet***
>
> When logging in from a Linux machine using RedHat 7.1 (with kerberos
> packages) using "telnet [hostname]" I am able to log in with the correct
> username and password. I am also given a proper-looking K5 ticket, as
> reported by "klist". However, this warning appears in the log:
>
> Sep 14 15:41:18 monster login: [ID 257133 auth.error] PAM-KRB5: no warning possible
yea, SEAM has a daemon ktkt_warnd(1M) that warns users when thier krb5 creds
are about to expire (this is very important in a gss/krb5 nfs env).
So the call to the daemon is failing, make sure it's running.
>
> and then, after I run "kdestroy" and logout, this message appears in the
> log:
>
> Sep 14 15:41:30 monster telnetd[13867]: [ID 390226 daemon.error] PAM-KRB5:Could not
>obtain principal name
get me details on the conditions this happens and we can file a bug
if needbe.
Btw, there are several pam_krb5 patches avail or in the works, so be
sure to grab them Sun. And take a look at the SEAM doc on
docs.sun.com as the pam.conf stuff can be confusing. In particuliar,
note some krb5 entries are to "kinit" such as
dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
and others are to facilitate secure (relatively:-) single-sign-on such
as
ktelnet auth required /usr/lib/security/$ISA/pam_krb5.so.1 acceptor
And note this only works with the SEAM versions of the krb5 remote app
servers, unbundled for Solaris 2.6-8, and avail on 8 for no cost from
http://www.sun.com/bigadmin/content/adminPack/index.html
And be sure to grab the enhanced security krb5 gss mech from sun.com
too (this allows privacy in gss/krb5 nfs and the krb5 admin protocol).
hope this helps,
glenn
>
> ***Using SSH***
>
> I'm running OpenSSH 2.9p2 with the Kerberos/GSSAPI patch from the
> following URL:
> http://www.sxw.org.uk/computing/patches/openssh.html
>
> It configured with --with-pam and --with-kerberos5=/usr/local and compiled
> cleanly with gmake.
>
> When I try to login from my RH Linux 7.1 box (identical OpenSSH
> installation w/patch) via 'ssh -C -v -l username hostname', I can see that
> it successfully verifies the password via Kerberos (and an entry for the
> login appears in the 'last' log) but immediately kicks me back out without
> giving me a shell. The following two lines appear in /var/adm/messages:
>
> Sep 14 15:21:59 monster sshd[13756]: [ID 257133 auth.error] PAM-KRB5: no warning
>possible
> Sep 14 15:21:59 monster sshd[13756]: [ID 390226 auth.error] PAM-KRB5:Could not
>obtain principal name
>
>
> ...With http://www.fcusack.com/soft/pam_krb5-1.0.tar.gz...
>
> ***pam_krb5 compilation process***
>
> # pwd
> /var/tmp/krb/pam/pam_krb5
> # vi Makefile
> [edited Makefile]
> # gmake
> gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_auth.c
> pam_krb5_auth.c: In function `pam_sm_setcred':
> pam_krb5_auth.c:291: warning: assignment discards qualifiers from pointer
> target type
> gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_pass.c
> gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_acct.c
> gcc -c -O2 -fPIC -I/usr/local/include pam_krb5_sess.c
> gcc -c -O2 -fPIC -I/usr/local/include support.c
> gcc -o pam_krb5.so.1 -G pam_krb5_auth.o pam_krb5_pass.o pam_krb5_acct.o
> pam_krb5_sess.o support.o -lpam -lnsl -lsocket -L/usr/local/lib -lkrb5
> -lk5crypto -lcom_err
> # gmake install
> cp pam_krb5.so.1 /usr/lib/security
> chown root:sys /usr/lib/security/pam_krb5.so.1
> ln -s ./pam_krb5.so.1 /usr/lib/security/pam_krb5.so
> cp pam_krb5.5 /usr/local/man/man5
> chown root:sys /usr/local/man/man5/pam_krb5.5
> # ls -l /usr/lib/security/pam_krb5.so*
> lrwxrwxrwx 1 root other 15 Sep 14 15:31 /usr/lib/security/pam_krb5.so
>-> ./pam_krb5.so.1
> -rwxr-xr-x 1 root sys 27392 Sep 14 15:31 /usr/lib/security/pam_krb5.so.1
> #
>
> *** With telnet ***
>
> When I try to telnet from my RH 7.1 box, I'm refused login and the
> following error appears in /var/adm/messages whether or not I use a valid
> username/password pair:
>
> Sep 12 22:06:56 monster login: [ID 487707 auth.error] load_modules: can not open
>module /usr/lib/security/pam_krb5.so.1
>
> *** via SSH ***
>
> I try logging in from my RH 7.1 box with "ssh -C -v -l username hostname".
> Trying the wrong password fails, and trying the right password does the
> same as with the stock Solaris pam_krb5 PAM but yields the following error
> in /var/adm/messages:
>
> Sep 14 15:59:11 monster sshd[13897]: [ID 800047 auth.crit] fatal: PAM setcred
>failed[3]: Error in underlying service module
>
>
>
>
> My system:
> Solaris 8 on an Enterprise 420R w/4 CPUs, 4GB RAM, 2 18GB hard drives
>
> # uname -a
> SunOS monster 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-80
> #
>
> Also, I'm using MIT's Kerberos 1.2.2 which configured, compiled and
> installed to /usr/local without any trouble. It just occurred to me that
> I didn't remove the default Solaris kerberized apps, but I'm not sure if
> that matters.
>
> Any and all advice would be greatly appreciated. I'm stumped.
>
>
> My pam.conf:
>
> ...begin pam.conf...
>
> #
> #ident "@(#)pam.conf 1.14 99/09/16 SMI"
> #
> # Copyright (c) 1996-1999, Sun Microsystems, Inc.
> # All Rights Reserved.
> #
> # PAM configuration
> #
> # Authentication management
> #
> login auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> login auth sufficient /usr/lib/security/$ISA/pam_dial_auth.so.1
> #
> rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> rsh auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> su auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Account management
> #
> login account requisite /usr/lib/security/$ISA/pam_roles.so.1
> login account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
> dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> other session required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> other password required /usr/lib/security/$ISA/pam_unix.so.1
> dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> #
> rlogin auth required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
> login auth required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
> dtlogin auth required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
> other auth required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
> dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
> other account optional /usr/lib/security/$ISA/pam_krb5.so.1
> other session optional /usr/lib/security/$ISA/pam_krb5.so.1
> other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
>
> ...end pam.conf...
>
>
> *** update ***
>
> With the pam.conf quoted below, I'm now able to login via SSH (using the
> stock Solaris PAM), but my ticket is owned by 'root' rather than the actual
> user... Huh?
>
>
> ... begin modified pam.conf ...
>
> #
> #ident "@(#)pam.conf 1.14 99/09/16 SMI"
> #
> # Copyright (c) 1996-1999, Sun Microsystems, Inc.
> # All Rights Reserved.
> #
> # PAM configuration
> #
> # Authentication management
> #
> login auth required /usr/lib/security/$ISA/pam_unix.so.1
> login auth required /usr/lib/security/pam_krb5.so.1 try_first_pass
> #
> rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> rsh auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> su auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Account management
> #
> login account requisite /usr/lib/security/$ISA/pam_roles.so.1
> login account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
> dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> other session required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> other password required /usr/lib/security/$ISA/pam_unix.so.1
> dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> #
> rlogin auth required /usr/lib/security/pam_krb5.so.1 try_first_pass
> #login auth required /usr/lib/security/pam_krb5.so.1 try_first_pass
> dtlogin auth required /usr/lib/security/pam_krb5.so.1 try_first_pass
> other auth required /usr/lib/security/pam_krb5.so.1 try_first_pass
> dtlogin account optional /usr/lib/security/pam_krb5.so.1
> other account optional /usr/lib/security/pam_krb5.so.1
> other session optional /usr/lib/security/pam_krb5.so.1
> other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass
>
> ... end modified pam.conf ...
>
>
> Thanks in advance for any help you can provide.
>
> --
>
> Graham Freeman UNIX Systems Manager
> CATS-Instructional Computing tel: +1 831 459 2472
> U.C. Santa Cruz, CA, USA http://www.ic.ucsc.edu/help/
