Solaris 9 Authentication - Kerberos

This is a discussion on Solaris 9 Authentication - Kerberos ; Configuration: MIT Kerberos 1.4 Solaris 9 Master Solaris 9, MAC OSX, & PC Clients /usr/lib/ssh/sshd daemon using pam_krb5.so.1 Pre-Auth enabled Issue: MAC and PC clients using ssh authenticate successfully against Solaris 9 servers and Kerberos system. ssh -l @ Password: ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Solaris 9 Authentication

  1. Solaris 9 Authentication

    Configuration:
    MIT Kerberos 1.4
    Solaris 9 Master
    Solaris 9, MAC OSX, & PC Clients
    /usr/lib/ssh/sshd daemon using pam_krb5.so.1
    Pre-Auth enabled

    Issue:
    MAC and PC clients using ssh authenticate successfully against Solaris 9
    servers and Kerberos system.
    ssh -l
    @ Password:
    Last login: Wed Jun 29 08:26:47 2005 from
    motd message
    $

    Solaris 9 clients get the following error when using Kerberos
    authentication:
    ssh -l
    @ Password:
    Permission denied, please try again.
    @ Password:
    Last login: Wed Jun 29 08:26:47 2005 from
    motd message
    $

    Master kdc.log:
    Jun 29 08:43:55 krb5kdc[10062](info): AS_REQ (2
    etypes {3 1}) PREAUTH_FAILED: for
    krbtgt@REALM, Decrypt integrity check failed

    Steve
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 9 Authentication

    Since ssh authentication is taking place on the SUN server, I took a
    copy of the keytab file from the Master kerberos server and placed it
    place of the one created by running ktadd on hostA... now hostA has a
    copy of the kadm5.keytab from the Master server.

    Once I did this (and this was the same for the SLAVE Kerberos server),
    then pre-auth works and I was able to sign in to hostA from another
    Solaris box.

    Can anyone tell me why this works... I am presuming it has something to
    do with local authentication on hostA that requires the keytab file from
    the Master where the ticket was originally created and thus the keytab
    has the data necessary for decryption.

    Steve

    scanell wrote:

    > Configuration:
    > MIT Kerberos 1.4
    > Solaris 9 Master
    > Solaris 9, MAC OSX, & PC Clients
    > /usr/lib/ssh/sshd daemon using pam_krb5.so.1
    > Pre-Auth enabled
    >
    > Issue:
    > MAC and PC clients using ssh authenticate successfully against Solaris
    > 9 servers and Kerberos system.
    > ssh -l
    > @ Password:
    > Last login: Wed Jun 29 08:26:47 2005 from
    > motd message
    > $
    >
    > Solaris 9 clients get the following error when using Kerberos
    > authentication:
    > ssh -l
    > @ Password:
    > Permission denied, please try again.
    > @ Password:
    > Last login: Wed Jun 29 08:26:47 2005 from
    > motd message
    > $
    >
    > Master kdc.log:
    > Jun 29 08:43:55 krb5kdc[10062](info): AS_REQ
    > (2 etypes {3 1}) PREAUTH_FAILED:
    > for krbtgt@REALM, Decrypt integrity check failed
    >
    > Steve
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 9 Authentication

    "Decrypt integrity check" errors usually point to a keytab problem. Although
    I'm somewhat unsure why you had to copy your kadm5.keytab from the master
    server, you should have instead created keytabs for each host. In my setup (we
    use Solaris 9 SEAM KDCs with Solaris 9 and Red Hat clients) for each ssh server
    I want authenticating to the KDCs I simply log into kadmin from that host with
    an admin principal, add a host principle for that server to the database, then
    export a keytab containing the host pricipal.

    On new host:
    > kadmin -p /admin

    kadmin: addprinc -randkey host/
    kadmin: ktadd host/

    That should add the host service key to the default keytab on the system which
    should be visible to pam_krb5.

    Then adjust pam.conf to use pam_krb5 in the right places.

    I'd feel strange moving my master kadm5.keytab to other servers, as I don't
    think that's intended or necessary. The Kerberos FAQ subject 2.3 seems to back
    this up:

    http://www.cmf.nrl.navy.mil/CCS/peop...l#filesappserv

    Best regards,

    -Michael


    --- scanell wrote:

    > Since ssh authentication is taking place on the SUN server, I took a
    > copy of the keytab file from the Master kerberos server and placed it
    > place of the one created by running ktadd on hostA... now hostA has a
    > copy of the kadm5.keytab from the Master server.
    >
    > Once I did this (and this was the same for the SLAVE Kerberos server),
    > then pre-auth works and I was able to sign in to hostA from another
    > Solaris box.
    >
    > Can anyone tell me why this works... I am presuming it has something to
    > do with local authentication on hostA that requires the keytab file from
    > the Master where the ticket was originally created and thus the keytab
    > has the data necessary for decryption.
    >
    > Steve
    >
    > scanell wrote:
    >
    > > Configuration:
    > > MIT Kerberos 1.4
    > > Solaris 9 Master
    > > Solaris 9, MAC OSX, & PC Clients
    > > /usr/lib/ssh/sshd daemon using pam_krb5.so.1
    > > Pre-Auth enabled
    > >
    > > Issue:
    > > MAC and PC clients using ssh authenticate successfully against Solaris
    > > 9 servers and Kerberos system.
    > > ssh -l
    > > @ Password:
    > > Last login: Wed Jun 29 08:26:47 2005 from
    > > motd message
    > > $
    > >
    > > Solaris 9 clients get the following error when using Kerberos
    > > authentication:
    > > ssh -l
    > > @ Password:
    > > Permission denied, please try again.
    > > @ Password:
    > > Last login: Wed Jun 29 08:26:47 2005 from
    > > motd message
    > > $
    > >
    > > Master kdc.log:
    > > Jun 29 08:43:55 krb5kdc[10062](info): AS_REQ
    > > (2 etypes {3 1}) PREAUTH_FAILED:
    > > for krbtgt@REALM, Decrypt integrity check failed
    > >
    > > Steve
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread