Solaris 9 Authentication
Configuration:
MIT Kerberos 1.4
Solaris 9 Master
Solaris 9, MAC OSX, PC Clients
/usr/lib/ssh/sshd daemon using pam_krb5.so.1
Pre-Auth enabled
Issue:
MAC and PC clients using ssh authenticate successfully against Solaris 9
servers and Kerberos system.
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Last login: Wed Jun 29 08:26:47 2005 from client host
motd message
$
Solaris 9 clients get the following error when using Kerberos
authentication:
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Permission denied, please try again.
username@hostA Password: Enter Shadow Password
Last login: Wed Jun 29 08:26:47 2005 from client hostA
motd message
$
Master kdc.log:
Jun 29 08:43:55 master kerberos server krb5kdc[10062](info): AS_REQ (2
etypes {3 1}) hostA ip address PREAUTH_FAILED: [EMAIL PROTECTED] for
[EMAIL PROTECTED], Decrypt integrity check failed
Steve
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 9 Authentication
Since ssh authentication is taking place on the SUN server, I took a
copy of the keytab file from the Master kerberos server and placed it
place of the one created by running ktadd on hostA... now hostA has a
copy of the kadm5.keytab from the Master server.
Once I did this (and this was the same for the SLAVE Kerberos server),
then pre-auth works and I was able to sign in to hostA from another
Solaris box.
Can anyone tell me why this works... I am presuming it has something to
do with local authentication on hostA that requires the keytab file from
the Master where the ticket was originally created and thus the keytab
has the data necessary for decryption.
Steve
scanell wrote:
Configuration:
MIT Kerberos 1.4
Solaris 9 Master
Solaris 9, MAC OSX, PC Clients
/usr/lib/ssh/sshd daemon using pam_krb5.so.1
Pre-Auth enabled
Issue:
MAC and PC clients using ssh authenticate successfully against Solaris
9 servers and Kerberos system.
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Last login: Wed Jun 29 08:26:47 2005 from client host
motd message
$
Solaris 9 clients get the following error when using Kerberos
authentication:
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Permission denied, please try again.
username@hostA Password: Enter Shadow Password
Last login: Wed Jun 29 08:26:47 2005 from client hostA
motd message
$
Master kdc.log:
Jun 29 08:43:55 master kerberos server krb5kdc[10062](info): AS_REQ
(2 etypes {3 1}) hostA ip address PREAUTH_FAILED: [EMAIL PROTECTED]
for [EMAIL PROTECTED], Decrypt integrity check failed
Steve
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 9 Authentication
Decrypt integrity check errors usually point to a keytab problem. Although
I'm somewhat unsure why you had to copy your kadm5.keytab from the master
server, you should have instead created keytabs for each host. In my setup (we
use Solaris 9 SEAM KDCs with Solaris 9 and Red Hat clients) for each ssh server
I want authenticating to the KDCs I simply log into kadmin from that host with
an admin principal, add a host principle for that server to the database, then
export a keytab containing the host pricipal.
On new host:
kadmin -p name/admin
kadmin: addprinc -randkey host/FQDN
kadmin: ktadd host/FQDN
That should add the host service key to the default keytab on the system which
should be visible to pam_krb5.
Then adjust pam.conf to use pam_krb5 in the right places.
I'd feel strange moving my master kadm5.keytab to other servers, as I don't
think that's intended or necessary. The Kerberos FAQ subject 2.3 seems to back
this up:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#filesappserv
Best regards,
-Michael
--- scanell [EMAIL PROTECTED] wrote:
Since ssh authentication is taking place on the SUN server, I took a
copy of the keytab file from the Master kerberos server and placed it
place of the one created by running ktadd on hostA... now hostA has a
copy of the kadm5.keytab from the Master server.
Once I did this (and this was the same for the SLAVE Kerberos server),
then pre-auth works and I was able to sign in to hostA from another
Solaris box.
Can anyone tell me why this works... I am presuming it has something to
do with local authentication on hostA that requires the keytab file from
the Master where the ticket was originally created and thus the keytab
has the data necessary for decryption.
Steve
scanell wrote:
Configuration:
MIT Kerberos 1.4
Solaris 9 Master
Solaris 9, MAC OSX, PC Clients
/usr/lib/ssh/sshd daemon using pam_krb5.so.1
Pre-Auth enabled
Issue:
MAC and PC clients using ssh authenticate successfully against Solaris
9 servers and Kerberos system.
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Last login: Wed Jun 29 08:26:47 2005 from client host
motd message
$
Solaris 9 clients get the following error when using Kerberos
authentication:
ssh -l username hostA
username@hostA Password: Enter Kerberos Password
Permission denied, please try again.
username@hostA Password: Enter Shadow Password
Last login: Wed Jun 29 08:26:47 2005 from client hostA
motd message
$
Master kdc.log:
Jun 29 08:43:55 master kerberos server krb5kdc[10062](info): AS_REQ
(2 etypes {3 1}) hostA ip address PREAUTH_FAILED: [EMAIL PROTECTED]
for [EMAIL PROTECTED], Decrypt integrity check failed
Steve
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
