Robert Sturrock wrote: > Hello. > > I'm trying to configure a Solaris 10 server to allow kerberos-based > logins with Sun's SSHD. I set "GSSAPIAuthentication yes" in > the sshd_config. My pam.conf is displayed below. >
> I _think_ this problem might have been the subject of discussion here: > > > http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html > Yes, that would be me. > .. which says in part: > > > The sshd does not set the KRB5CCNAME correctly either. We do this > > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID) > > to get session based credentials if possible. Works from sshd-gssapi, > > but not from dtlogin where we are stuck with user basede credentials. > > Do I need to setup pam_krb5_cache? If so, can someone please provide > a pointer to this as it does not seem to be a standard Solaris 10 PAM > module. ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar There is a README, and example pam.conf in there too. > > FYI, the ultimate objective here is to automatically get AFS tokens on > login, but this is not working in all circumstances because > pam-afs-session expects KRB5CCNAME to be set. That was our goal too. We are using pam_afs2. pam_afs_session should also work. > > Regards > > Robert Sturrock. > > > --- > # > #ident "@(#)pam.conf 1.28 04/04/21 SMI" > # > # Copyright 2004 Sun Microsystems, Inc. All rights reserved. > # Use is subject to license terms. > # > # PAM configuration > # > # Unless explicitly defined, all services use the modules > # defined in the "other" section. > # > # Modules are defined with relative pathnames, i.e., they are > # relative to /usr/lib/security/$ISA. Absolute path names, as > # present in this file in previous releases are still acceptable. > # > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth binding pam_krb5.so.1 > krlogin auth required pam_unix_auth.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth binding pam_krb5.so.1 > krsh auth required pam_unix_auth.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth binding pam_krb5.so.1 > ktelnet auth required pam_unix_auth.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > other auth optional /usr/local/lib/security/pam_afs_session.so debug > # > # passwd command (explicit because of a different authentication module) > # > passwd auth required pam_passwd_auth.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > other account required pam_krb5.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > other session required /usr/local/lib/security/pam_afs_session.so debug > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > other password optional pam_krb5.so.1 > # > # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # > sshd auth sufficient pam_krb5.so.1 try_first_pass > sshd auth required pam_unix_auth.so.1 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
