Solaris 9 Authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Solaris 9 Authentication

scanell
Configuration:
MIT Kerberos 1.4
Solaris 9 Master
Solaris 9, MAC OSX, & PC Clients
/usr/lib/ssh/sshd daemon using pam_krb5.so.1
Pre-Auth enabled

Issue:
MAC and PC clients using ssh authenticate successfully against Solaris 9
servers and Kerberos system.
ssh -l <username> <hostA>
<username>@<hostA> Password: <Enter Kerberos Password>
Last login: Wed Jun 29 08:26:47 2005 from <client host>
motd message
$

Solaris 9 clients get the following error when using Kerberos
authentication:
ssh -l <username> <hostA>
<username>@<hostA> Password: <Enter Kerberos Password>
Permission denied, please try again.
<username>@<hostA> Password: <Enter Shadow Password>
Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
motd message
$

Master kdc.log:
Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ (2
etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username@REALM> for
krbtgt@REALM, Decrypt integrity check failed

Steve
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 9 Authentication

scanell
Since ssh authentication is taking place on the SUN server, I took a
copy of the keytab file from the Master kerberos server and placed it
place of the one created by running ktadd on hostA... now hostA has a
copy of the kadm5.keytab from the Master server.

Once I did this (and this was the same for the SLAVE Kerberos server),
then pre-auth works and I was able to sign in to hostA from another
Solaris box.

Can anyone tell me why this works... I am presuming it has something to
do with local authentication on hostA that requires the keytab file from
the Master where the ticket was originally created and thus the keytab
has the data necessary for decryption.

Steve

scanell wrote:

> Configuration:
> MIT Kerberos 1.4
> Solaris 9 Master
> Solaris 9, MAC OSX, & PC Clients
> /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> Pre-Auth enabled
>
> Issue:
> MAC and PC clients using ssh authenticate successfully against Solaris
> 9 servers and Kerberos system.
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client host>
> motd message
> $
>
> Solaris 9 clients get the following error when using Kerberos
> authentication:
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Permission denied, please try again.
> <username>@<hostA> Password: <Enter Shadow Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> motd message
> $
>
> Master kdc.log:
> Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ
> (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username@REALM>
> for krbtgt@REALM, Decrypt integrity check failed
>
> Steve
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 9 Authentication

Michael Marziani
"Decrypt integrity check" errors usually point to a keytab problem.  Although
I'm somewhat unsure why you had to copy your kadm5.keytab from the master
server, you should have instead created keytabs for each host.  In my setup (we
use Solaris 9 SEAM KDCs with Solaris 9 and Red Hat clients) for each ssh server
I want authenticating to the KDCs I simply log into kadmin from that host with
an admin principal, add a host principle for that server to the database, then
export a keytab containing the host pricipal.

On new host:
> kadmin -p <name>/admin
kadmin: addprinc -randkey host/<FQDN>
kadmin: ktadd host/<FQDN>

That should add the host service key to the default keytab on the system which
should be visible to pam_krb5.

Then adjust pam.conf to use pam_krb5 in the right places.

I'd feel strange moving my master kadm5.keytab to other servers, as I don't
think that's intended or necessary.  The Kerberos FAQ subject 2.3 seems to back
this up:

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#filesappserv

Best regards,

-Michael


--- scanell <[hidden email]> wrote:

> Since ssh authentication is taking place on the SUN server, I took a
> copy of the keytab file from the Master kerberos server and placed it
> place of the one created by running ktadd on hostA... now hostA has a
> copy of the kadm5.keytab from the Master server.
>
> Once I did this (and this was the same for the SLAVE Kerberos server),
> then pre-auth works and I was able to sign in to hostA from another
> Solaris box.
>
> Can anyone tell me why this works... I am presuming it has something to
> do with local authentication on hostA that requires the keytab file from
> the Master where the ticket was originally created and thus the keytab
> has the data necessary for decryption.
>
> Steve
>
> scanell wrote:
>
> > Configuration:
> > MIT Kerberos 1.4
> > Solaris 9 Master
> > Solaris 9, MAC OSX, & PC Clients
> > /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> > Pre-Auth enabled
> >
> > Issue:
> > MAC and PC clients using ssh authenticate successfully against Solaris
> > 9 servers and Kerberos system.
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client host>
> > motd message
> > $
> >
> > Solaris 9 clients get the following error when using Kerberos
> > authentication:
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Permission denied, please try again.
> > <username>@<hostA> Password: <Enter Shadow Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> > motd message
> > $
> >
> > Master kdc.log:
> > Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ
> > (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username@REALM>
> > for krbtgt@REALM, Decrypt integrity check failed
> >
> > Steve
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos