Solaris 10 ssh logins + w2k3 AD native mode - Kerberos

This is a discussion on Solaris 10 ssh logins + w2k3 AD native mode - Kerberos ; Hi, This might have been answered in a previous post(s)... I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch build docs on it. Specifically, I'd like to get kerberos working for authenication, and LDAP/AD groups working for ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Solaris 10 ssh logins + w2k3 AD native mode

  1. Solaris 10 ssh logins + w2k3 AD native mode

    Hi,

    This might have been answered in a previous post(s)...

    I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch build
    docs on it. Specifically, I'd like to get kerberos working for
    authenication, and LDAP/AD groups working for authorization. Even better
    would be to minimize admin tasks by not having to touch passwd, group,
    keytab for every new user, just have PAM modules do it.

    kinit works great

    ------------------- /etc/pam.conf -------------------------

    #
    #ident "@(#)pam.conf 1.28 04/04/21 SMI"
    #
    # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
    # Use is subject to license terms.
    #
    # PAM configuration
    #
    # Unless explicitly defined, all services use the modules
    # defined in the "other" section.
    #
    # Modules are defined with relative pathnames, i.e., they are
    # relative to /usr/lib/security/$ISA. Absolute path names, as
    # present in this file in previous releases are still acceptable.
    #
    # Authentication management
    #
    # login service (explicit because of pam_dial_auth)
    #
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1


    # not sure about these... Kerb only would be fine, or Unix as fallback.
    sshd-kbdint auth requisite pam_authtok_get.so.1
    sshd-kbdint auth required pam_dhkeys.so.1
    sshd-kbdint auth required pam_unix_cred.so.1
    sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
    sshd-kbdint auth optional pam_unix_auth.so.1

    #
    # rlogin service (explicit because of pam_rhost_auth)
    #
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth required pam_unix_cred.so.1
    rlogin auth required pam_unix_auth.so.1
    #
    # Kerberized rlogin service
    #
    krlogin auth required pam_unix_cred.so.1
    krlogin auth binding pam_krb5.so.1
    krlogin auth required pam_unix_auth.so.1
    #
    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    #
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_cred.so.1
    #
    # Kerberized rsh service
    #
    krsh auth required pam_unix_cred.so.1
    krsh auth binding pam_krb5.so.1
    krsh auth required pam_unix_auth.so.1
    #
    # Kerberized telnet service
    #
    ktelnet auth required pam_unix_cred.so.1
    ktelnet auth binding pam_krb5.so.1
    ktelnet auth required pam_unix_auth.so.1
    #
    # PPP service (explicit because of pam_dial_auth)
    #
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_unix_cred.so.1
    ppp auth required pam_unix_auth.so.1
    ppp auth required pam_dial_auth.so.1
    #
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    #
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth required pam_unix_cred.so.1
    other auth required pam_unix_auth.so.1
    #
    # passwd command (explicit because of a different authentication module)
    #
    passwd auth required pam_passwd_auth.so.1
    #
    # cron service (explicit because of non-usage of pam_roles.so.1)
    #
    cron account required pam_unix_account.so.1
    #
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    #
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    #
    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    #
    other session sufficient pam_krb5.so.1
    other session required pam_unix_session.so.1
    #
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    #
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1
    #
    # Support for Kerberos V5 authentication and example configurations can
    # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
    #
    # --- EXAMPLES not all that helpful :-(

    ------------------- /etc/krb5/krb5.conf -------------------

    [libdefaults]
    default_realm = WIN.STANFORD.EDU
    forwardable = true
    proxiable = true
    dns_lookup_realm = true
    dns_lookup_kdc = false

    [realms]

    WIN.STANFORD.EDU = {
    kdc = 171.64.7.177
    admin_server = 171.64.7.177:88
    }

    SOM.WIN.STANFORD.EDU = {
    kdc = 171.64.7.171
    admin_server = 171.64.7.171:88
    }

    [domain_realm]
    win.stanford.edu = WIN.STANFORD.EDU
    ..win.stanford.edu = WIN.STANFORD.EDU
    som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    ..som.win.stanford.edu = SOM.WIN.STANFORD.EDU

    [appdefaults]

    pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    kinit = {
    renewable = true
    forwardable = true
    proxiable = false
    }

    login = {
    krb5_get_tickets = true
    }



    Thanks,
    Barry Allard
    Stanford Med School
    MedIRT

    Solaris geek level: noob++
    Windows geek level: domainadmin- (cant change DCs or make schema changes)
    Krb geek level: user--
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 10 ssh logins + w2k3 AD native mode

    Barry Allard wrote:
    > Hi,
    >
    > This might have been answered in a previous post(s)...
    >
    > I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch build
    > docs on it. Specifically, I'd like to get kerberos working for
    > authenication, and LDAP/AD groups working for authorization. Even better
    > would be to minimize admin tasks by not having to touch passwd, group,
    > keytab for every new user, just have PAM modules do it.
    >



    The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5
    authentication.

    It's not clear to me what you are trying to do with PAM, though. Can
    you explain
    in a little more detail?

    thanks,
    Wyllys



    > kinit works great
    >
    > ------------------- /etc/pam.conf -------------------------
    >
    > #
    > #ident "@(#)pam.conf 1.28 04/04/21 SMI"
    > #
    > # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
    > # Use is subject to license terms.
    > #
    > # PAM configuration
    > #
    > # Unless explicitly defined, all services use the modules
    > # defined in the "other" section.
    > #
    > # Modules are defined with relative pathnames, i.e., they are
    > # relative to /usr/lib/security/$ISA. Absolute path names, as
    > # present in this file in previous releases are still acceptable.
    > #
    > # Authentication management
    > #
    > # login service (explicit because of pam_dial_auth)
    > #
    > login auth requisite pam_authtok_get.so.1
    > login auth required pam_dhkeys.so.1
    > login auth required pam_unix_cred.so.1
    > login auth required pam_unix_auth.so.1
    > login auth required pam_dial_auth.so.1
    >
    >
    > # not sure about these... Kerb only would be fine, or Unix as fallback.
    > sshd-kbdint auth requisite pam_authtok_get.so.1
    > sshd-kbdint auth required pam_dhkeys.so.1
    > sshd-kbdint auth required pam_unix_cred.so.1
    > sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
    > sshd-kbdint auth optional pam_unix_auth.so.1
    >
    > #
    > # rlogin service (explicit because of pam_rhost_auth)
    > #
    > rlogin auth sufficient pam_rhosts_auth.so.1
    > rlogin auth requisite pam_authtok_get.so.1
    > rlogin auth required pam_dhkeys.so.1
    > rlogin auth required pam_unix_cred.so.1
    > rlogin auth required pam_unix_auth.so.1
    > #
    > # Kerberized rlogin service
    > #
    > krlogin auth required pam_unix_cred.so.1
    > krlogin auth binding pam_krb5.so.1
    > krlogin auth required pam_unix_auth.so.1
    > #
    > # rsh service (explicit because of pam_rhost_auth,
    > # and pam_unix_auth for meaningful pam_setcred)
    > #
    > rsh auth sufficient pam_rhosts_auth.so.1
    > rsh auth required pam_unix_cred.so.1
    > #
    > # Kerberized rsh service
    > #
    > krsh auth required pam_unix_cred.so.1
    > krsh auth binding pam_krb5.so.1
    > krsh auth required pam_unix_auth.so.1
    > #
    > # Kerberized telnet service
    > #
    > ktelnet auth required pam_unix_cred.so.1
    > ktelnet auth binding pam_krb5.so.1
    > ktelnet auth required pam_unix_auth.so.1
    > #
    > # PPP service (explicit because of pam_dial_auth)
    > #
    > ppp auth requisite pam_authtok_get.so.1
    > ppp auth required pam_dhkeys.so.1
    > ppp auth required pam_unix_cred.so.1
    > ppp auth required pam_unix_auth.so.1
    > ppp auth required pam_dial_auth.so.1
    > #
    > # Default definitions for Authentication management
    > # Used when service name is not explicitly mentioned for authentication
    > #
    > other auth requisite pam_authtok_get.so.1
    > other auth required pam_dhkeys.so.1
    > other auth required pam_unix_cred.so.1
    > other auth required pam_unix_auth.so.1
    > #
    > # passwd command (explicit because of a different authentication module)
    > #
    > passwd auth required pam_passwd_auth.so.1
    > #
    > # cron service (explicit because of non-usage of pam_roles.so.1)
    > #
    > cron account required pam_unix_account.so.1
    > #
    > # Default definition for Account management
    > # Used when service name is not explicitly mentioned for account management
    > #
    > other account requisite pam_roles.so.1
    > other account required pam_unix_account.so.1
    > #
    > # Default definition for Session management
    > # Used when service name is not explicitly mentioned for session management
    > #
    > other session sufficient pam_krb5.so.1
    > other session required pam_unix_session.so.1
    > #
    > # Default definition for Password management
    > # Used when service name is not explicitly mentioned for password management
    > #
    > other password required pam_dhkeys.so.1
    > other password requisite pam_authtok_get.so.1
    > other password requisite pam_authtok_check.so.1
    > other password required pam_authtok_store.so.1
    > #
    > # Support for Kerberos V5 authentication and example configurations can
    > # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
    > #
    > # --- EXAMPLES not all that helpful :-(
    >
    > ------------------- /etc/krb5/krb5.conf -------------------
    >
    > [libdefaults]
    > default_realm = WIN.STANFORD.EDU
    > forwardable = true
    > proxiable = true
    > dns_lookup_realm = true
    > dns_lookup_kdc = false
    >
    > [realms]
    >
    > WIN.STANFORD.EDU = {
    > kdc = 171.64.7.177
    > admin_server = 171.64.7.177:88
    > }
    >
    > SOM.WIN.STANFORD.EDU = {
    > kdc = 171.64.7.171
    > admin_server = 171.64.7.171:88
    > }
    >
    > [domain_realm]
    > win.stanford.edu = WIN.STANFORD.EDU
    > .win.stanford.edu = WIN.STANFORD.EDU
    > som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    > .som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    >
    > [appdefaults]
    >
    > pam = {
    > debug = true
    > ticket_lifetime = 36000
    > renew_lifetime = 36000
    > forwardable = true
    > krb4_convert = false
    > }
    >
    > kinit = {
    > renewable = true
    > forwardable = true
    > proxiable = false
    > }
    >
    > login = {
    > krb5_get_tickets = true
    > }
    >
    >
    >
    > Thanks,
    > Barry Allard
    > Stanford Med School
    > MedIRT
    >
    > Solaris geek level: noob++
    > Windows geek level: domainadmin- (cant change DCs or make schema changes)
    > Krb geek level: user--
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 10 ssh logins + w2k3 AD native mode

    Hi Wyllys,

    Primary goal: Kerberize ssh keyboard interactive logins in
    enterprise-administration-friendly way.

    Secondary objective #A: manage user authorization (who can login)
    through Active Directory instead of locally (hacking a bunch of text
    files for each new user). create home directory, etc.

    Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
    automagically login by Active Directory's kerb ticket (not hostkeys). I
    have seen it working using Centrify ($) PAM mod on the Linux, and no
    mods to windows box.

    Thanks,
    Barry


    Wyllys Ingersoll wrote:

    > Barry Allard wrote:
    >
    >> Hi,
    >>
    >> This might have been answered in a previous post(s)...
    >>
    >> I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch
    >> build
    >> docs on it. Specifically, I'd like to get kerberos working for
    >> authenication, and LDAP/AD groups working for authorization. Even
    >> better
    >> would be to minimize admin tasks by not having to touch passwd, group,
    >> keytab for every new user, just have PAM modules do it.
    >>

    >
    >
    >
    > The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5
    > authentication.
    >
    > It's not clear to me what you are trying to do with PAM, though. Can
    > you explain
    > in a little more detail?
    >
    > thanks,
    > Wyllys
    >
    >
    >
    >> kinit works great
    >>
    >> ------------------- /etc/pam.conf -------------------------
    >>
    >> #
    >> #ident "@(#)pam.conf 1.28 04/04/21 SMI"
    >> #
    >> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
    >> # Use is subject to license terms.
    >> #
    >> # PAM configuration
    >> #
    >> # Unless explicitly defined, all services use the modules
    >> # defined in the "other" section.
    >> #
    >> # Modules are defined with relative pathnames, i.e., they are
    >> # relative to /usr/lib/security/$ISA. Absolute path names, as
    >> # present in this file in previous releases are still acceptable.
    >> #
    >> # Authentication management
    >> #
    >> # login service (explicit because of pam_dial_auth)
    >> #
    >> login auth requisite pam_authtok_get.so.1
    >> login auth required pam_dhkeys.so.1
    >> login auth required pam_unix_cred.so.1
    >> login auth required pam_unix_auth.so.1
    >> login auth required pam_dial_auth.so.1
    >>
    >>
    >> # not sure about these... Kerb only would be fine, or Unix as fallback.
    >> sshd-kbdint auth requisite pam_authtok_get.so.1
    >> sshd-kbdint auth required pam_dhkeys.so.1
    >> sshd-kbdint auth required pam_unix_cred.so.1
    >> sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
    >> sshd-kbdint auth optional pam_unix_auth.so.1
    >>
    >> #
    >> # rlogin service (explicit because of pam_rhost_auth)
    >> #
    >> rlogin auth sufficient pam_rhosts_auth.so.1
    >> rlogin auth requisite pam_authtok_get.so.1
    >> rlogin auth required pam_dhkeys.so.1
    >> rlogin auth required pam_unix_cred.so.1
    >> rlogin auth required pam_unix_auth.so.1
    >> #
    >> # Kerberized rlogin service
    >> #
    >> krlogin auth required pam_unix_cred.so.1
    >> krlogin auth binding pam_krb5.so.1
    >> krlogin auth required pam_unix_auth.so.1
    >> #
    >> # rsh service (explicit because of pam_rhost_auth,
    >> # and pam_unix_auth for meaningful pam_setcred)
    >> #
    >> rsh auth sufficient pam_rhosts_auth.so.1
    >> rsh auth required pam_unix_cred.so.1
    >> #
    >> # Kerberized rsh service
    >> #
    >> krsh auth required pam_unix_cred.so.1
    >> krsh auth binding pam_krb5.so.1
    >> krsh auth required pam_unix_auth.so.1
    >> #
    >> # Kerberized telnet service
    >> #
    >> ktelnet auth required pam_unix_cred.so.1
    >> ktelnet auth binding pam_krb5.so.1
    >> ktelnet auth required pam_unix_auth.so.1
    >> #
    >> # PPP service (explicit because of pam_dial_auth)
    >> #
    >> ppp auth requisite pam_authtok_get.so.1
    >> ppp auth required pam_dhkeys.so.1
    >> ppp auth required pam_unix_cred.so.1
    >> ppp auth required pam_unix_auth.so.1
    >> ppp auth required pam_dial_auth.so.1
    >> #
    >> # Default definitions for Authentication management
    >> # Used when service name is not explicitly mentioned for authentication
    >> #
    >> other auth requisite pam_authtok_get.so.1
    >> other auth required pam_dhkeys.so.1
    >> other auth required pam_unix_cred.so.1
    >> other auth required pam_unix_auth.so.1
    >> #
    >> # passwd command (explicit because of a different authentication module)
    >> #
    >> passwd auth required pam_passwd_auth.so.1
    >> #
    >> # cron service (explicit because of non-usage of pam_roles.so.1)
    >> #
    >> cron account required pam_unix_account.so.1
    >> #
    >> # Default definition for Account management
    >> # Used when service name is not explicitly mentioned for account
    >> management
    >> #
    >> other account requisite pam_roles.so.1
    >> other account required pam_unix_account.so.1
    >> #
    >> # Default definition for Session management
    >> # Used when service name is not explicitly mentioned for session
    >> management
    >> #
    >> other session sufficient pam_krb5.so.1
    >> other session required pam_unix_session.so.1
    >> #
    >> # Default definition for Password management
    >> # Used when service name is not explicitly mentioned for password
    >> management
    >> #
    >> other password required pam_dhkeys.so.1
    >> other password requisite pam_authtok_get.so.1
    >> other password requisite pam_authtok_check.so.1
    >> other password required pam_authtok_store.so.1
    >> #
    >> # Support for Kerberos V5 authentication and example configurations can
    >> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
    >> #
    >> # --- EXAMPLES not all that helpful :-(
    >>
    >> ------------------- /etc/krb5/krb5.conf -------------------
    >>
    >> [libdefaults]
    >> default_realm = WIN.STANFORD.EDU
    >> forwardable = true
    >> proxiable = true
    >> dns_lookup_realm = true
    >> dns_lookup_kdc = false
    >>
    >> [realms]
    >>
    >> WIN.STANFORD.EDU = {
    >> kdc = 171.64.7.177
    >> admin_server = 171.64.7.177:88
    >> }
    >>
    >> SOM.WIN.STANFORD.EDU = {
    >> kdc = 171.64.7.171
    >> admin_server = 171.64.7.171:88
    >> }
    >>
    >> [domain_realm]
    >> win.stanford.edu = WIN.STANFORD.EDU
    >> .win.stanford.edu = WIN.STANFORD.EDU
    >> som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    >> .som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    >>
    >> [appdefaults]
    >>
    >> pam = {
    >> debug = true
    >> ticket_lifetime = 36000
    >> renew_lifetime = 36000
    >> forwardable = true
    >> krb4_convert = false
    >> }
    >>
    >> kinit = {
    >> renewable = true
    >> forwardable = true
    >> proxiable = false
    >> }
    >>
    >> login = {
    >> krb5_get_tickets = true
    >> }
    >>
    >>
    >>
    >> Thanks,
    >> Barry Allard
    >> Stanford Med School
    >> MedIRT
    >>
    >> Solaris geek level: noob++
    >> Windows geek level: domainadmin- (cant change DCs or make schema
    >> changes)
    >> Krb geek level: user--
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Solaris 10 ssh logins + w2k3 AD native mode

    Barry Allard wrote:
    > Hi Wyllys,
    >
    > Primary goal: Kerberize ssh keyboard interactive logins in
    > enterprise-administration-friendly way.



    The ability to use Kerberos tickets to authenticate with
    SSH is already documented and explained in several places.
    Look at docs.sun.com under Security Administration (or search for
    SEAM, Kerberos). Also do a 'man sshd_config' - you should
    see that the GSSAPIAuthentication and GSSAPIKeyExchange
    values are "yes" by default.


    What is your definition of "enterprise-administration-friendly" ?


    >
    > Secondary objective #A: manage user authorization (who can login)
    > through Active Directory instead of locally (hacking a bunch of text
    > files for each new user). create home directory, etc.



    This is a whole different problem. Today, you can manage your
    users with AD, but you still need to have some way for the
    Unix system (Solaris or Linux) to map from the AD user attributes
    to something recognizable on the *nix platform - uid, gid, and home
    directory being the most important attributes needed to establish
    a Unix login session. Typically, Unix admins set up user databases
    with NIS or LDAP containing all of the users that they want to allow to
    access the Unix systems. Kerberos auth can still be done
    against the AD server, but the AD principals must map to
    Unix usernames that the local system can then lookup once
    the authentication is completed to do authorization.

    Basically - you cannot have an empty /etc/password and shadow
    database (without NIS or LDAP) and expect that everything will
    "just work". You have to provide some method for the Unix
    system to get the user attributes it needs to establish a session.

    Microsoft offers their "services for Unix" feature that might
    help if you are trying to get everything from AD, but I've not
    used that myself.

    There are also ways to configure the LDAP on the *nix side to get
    the information from AD. Look for an LDAP expert explain the details
    of that
    process, I haven't done it myself.



    >
    > Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
    > automagically login by Active Directory's kerb ticket (not hostkeys).
    > I have seen it working using Centrify ($) PAM mod on the Linux, and
    > no mods to windows box.



    Does putty support GSSAPI authentication for SSH and can it
    get the users credentials from Active Directory? If so, it should "just
    work"
    with the stock Solaris 10 sshd or the OpenSSH server with the GSSAPI
    patches
    applied.

    If you have to have a special PAM module on the server side, then you
    aren't really doing Kerberos single-sign on authentication and you most
    likely
    have to reenter your name/password when you try to login to the
    other system. You could do that much with standard pam_krb5
    on Solaris or Linux. I'm not familiar with the Centrify product.

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Solaris 10 ssh logins + w2k3 AD native mode

    Yes there are mods to PuTTY for GSSAPI,

    http://www.chiark.greenend.org.uk/~s...ros-gssapi.htm
    lists a few, and this one:

    "Another patch here adds support for GSSAPI user authentication
    using the MIT Kerberos library. (A previous version of this
    patch has been reviewed and found wanting.)"

    http://sweb.cz/v_t_m/

    I have not found it wanting, and it works well using either the
    built in MS SSPI or the MIT KfW, to the SOlaris 10 sshd.

    I see you are also asking about AFS in another thread. The Solaris 10
    sshd calling the Solaris 10 pam_krb5 with a additional pam_afs2
    can be used to get AFS tokens too.


    Barry Allard wrote:
    > Hi Wyllys,
    >
    > Primary goal: Kerberize ssh keyboard interactive logins in
    > enterprise-administration-friendly way.
    >




    > Secondary objective #A: manage user authorization (who can login)
    > through Active Directory instead of locally (hacking a bunch of text
    > files for each new user). create home directory, etc.



    >
    > Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
    > automagically login by Active Directory's kerb ticket (not hostkeys). I
    > have seen it working using Centrify ($) PAM mod on the Linux, and no
    > mods to windows box.
    >
    > Thanks,
    > Barry
    >
    >
    > Wyllys Ingersoll wrote:
    >
    >
    >>Barry Allard wrote:
    >>
    >>
    >>>Hi,
    >>>
    >>>This might have been answered in a previous post(s)...
    >>>
    >>>I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch
    >>>build
    >>>docs on it. Specifically, I'd like to get kerberos working for
    >>>authenication, and LDAP/AD groups working for authorization. Even
    >>>better
    >>>would be to minimize admin tasks by not having to touch passwd, group,
    >>>keytab for every new user, just have PAM modules do it.
    >>>

    >>
    >>
    >>
    >>The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5
    >>authentication.
    >>
    >>It's not clear to me what you are trying to do with PAM, though. Can
    >>you explain
    >>in a little more detail?
    >>
    >>thanks,
    >> Wyllys
    >>
    >>
    >>
    >>
    >>>kinit works great
    >>>
    >>>------------------- /etc/pam.conf -------------------------
    >>>
    >>>#
    >>>#ident "@(#)pam.conf 1.28 04/04/21 SMI"
    >>>#
    >>># Copyright 2004 Sun Microsystems, Inc. All rights reserved.
    >>># Use is subject to license terms.
    >>>#
    >>># PAM configuration
    >>>#
    >>># Unless explicitly defined, all services use the modules
    >>># defined in the "other" section.
    >>>#
    >>># Modules are defined with relative pathnames, i.e., they are
    >>># relative to /usr/lib/security/$ISA. Absolute path names, as
    >>># present in this file in previous releases are still acceptable.
    >>>#
    >>># Authentication management
    >>>#
    >>># login service (explicit because of pam_dial_auth)
    >>>#
    >>>login auth requisite pam_authtok_get.so.1
    >>>login auth required pam_dhkeys.so.1
    >>>login auth required pam_unix_cred.so.1
    >>>login auth required pam_unix_auth.so.1
    >>>login auth required pam_dial_auth.so.1
    >>>
    >>>
    >>># not sure about these... Kerb only would be fine, or Unix as fallback.
    >>>sshd-kbdint auth requisite pam_authtok_get.so.1
    >>>sshd-kbdint auth required pam_dhkeys.so.1
    >>>sshd-kbdint auth required pam_unix_cred.so.1
    >>>sshd-kbdint auth sufficient pam_krb5.so.1 use_first_pass debug
    >>>sshd-kbdint auth optional pam_unix_auth.so.1
    >>>
    >>>#
    >>># rlogin service (explicit because of pam_rhost_auth)
    >>>#
    >>>rlogin auth sufficient pam_rhosts_auth.so.1
    >>>rlogin auth requisite pam_authtok_get.so.1
    >>>rlogin auth required pam_dhkeys.so.1
    >>>rlogin auth required pam_unix_cred.so.1
    >>>rlogin auth required pam_unix_auth.so.1
    >>>#
    >>># Kerberized rlogin service
    >>>#
    >>>krlogin auth required pam_unix_cred.so.1
    >>>krlogin auth binding pam_krb5.so.1
    >>>krlogin auth required pam_unix_auth.so.1
    >>>#
    >>># rsh service (explicit because of pam_rhost_auth,
    >>># and pam_unix_auth for meaningful pam_setcred)
    >>>#
    >>>rsh auth sufficient pam_rhosts_auth.so.1
    >>>rsh auth required pam_unix_cred.so.1
    >>>#
    >>># Kerberized rsh service
    >>>#
    >>>krsh auth required pam_unix_cred.so.1
    >>>krsh auth binding pam_krb5.so.1
    >>>krsh auth required pam_unix_auth.so.1
    >>>#
    >>># Kerberized telnet service
    >>>#
    >>>ktelnet auth required pam_unix_cred.so.1
    >>>ktelnet auth binding pam_krb5.so.1
    >>>ktelnet auth required pam_unix_auth.so.1
    >>>#
    >>># PPP service (explicit because of pam_dial_auth)
    >>>#
    >>>ppp auth requisite pam_authtok_get.so.1
    >>>ppp auth required pam_dhkeys.so.1
    >>>ppp auth required pam_unix_cred.so.1
    >>>ppp auth required pam_unix_auth.so.1
    >>>ppp auth required pam_dial_auth.so.1
    >>>#
    >>># Default definitions for Authentication management
    >>># Used when service name is not explicitly mentioned for authentication
    >>>#
    >>>other auth requisite pam_authtok_get.so.1
    >>>other auth required pam_dhkeys.so.1
    >>>other auth required pam_unix_cred.so.1
    >>>other auth required pam_unix_auth.so.1
    >>>#
    >>># passwd command (explicit because of a different authentication module)
    >>>#
    >>>passwd auth required pam_passwd_auth.so.1
    >>>#
    >>># cron service (explicit because of non-usage of pam_roles.so.1)
    >>>#
    >>>cron account required pam_unix_account.so.1
    >>>#
    >>># Default definition for Account management
    >>># Used when service name is not explicitly mentioned for account
    >>>management
    >>>#
    >>>other account requisite pam_roles.so.1
    >>>other account required pam_unix_account.so.1
    >>>#
    >>># Default definition for Session management
    >>># Used when service name is not explicitly mentioned for session
    >>>management
    >>>#
    >>>other session sufficient pam_krb5.so.1
    >>>other session required pam_unix_session.so.1
    >>>#
    >>># Default definition for Password management
    >>># Used when service name is not explicitly mentioned for password
    >>>management
    >>>#
    >>>other password required pam_dhkeys.so.1
    >>>other password requisite pam_authtok_get.so.1
    >>>other password requisite pam_authtok_check.so.1
    >>>other password required pam_authtok_store.so.1
    >>>#
    >>># Support for Kerberos V5 authentication and example configurations can
    >>># be found in the pam_krb5(5) man page under the "EXAMPLES" section.
    >>>#
    >>># --- EXAMPLES not all that helpful :-(
    >>>
    >>>------------------- /etc/krb5/krb5.conf -------------------
    >>>
    >>>[libdefaults]
    >>>default_realm = WIN.STANFORD.EDU
    >>>forwardable = true
    >>>proxiable = true
    >>>dns_lookup_realm = true
    >>>dns_lookup_kdc = false
    >>>
    >>>[realms]
    >>>
    >>>WIN.STANFORD.EDU = {
    >>>kdc = 171.64.7.177
    >>>admin_server = 171.64.7.177:88
    >>>}
    >>>
    >>>SOM.WIN.STANFORD.EDU = {
    >>>kdc = 171.64.7.171
    >>>admin_server = 171.64.7.171:88
    >>>}
    >>>
    >>>[domain_realm]
    >>>win.stanford.edu = WIN.STANFORD.EDU
    >>>.win.stanford.edu = WIN.STANFORD.EDU
    >>>som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    >>>.som.win.stanford.edu = SOM.WIN.STANFORD.EDU
    >>>
    >>>[appdefaults]
    >>>
    >>> pam = {
    >>> debug = true
    >>> ticket_lifetime = 36000
    >>> renew_lifetime = 36000
    >>> forwardable = true
    >>> krb4_convert = false
    >>> }
    >>>
    >>> kinit = {
    >>> renewable = true
    >>> forwardable = true
    >>> proxiable = false
    >>> }
    >>>
    >>> login = {
    >>> krb5_get_tickets = true
    >>> }
    >>>
    >>>
    >>>
    >>>Thanks,
    >>>Barry Allard
    >>>Stanford Med School
    >>>MedIRT
    >>>
    >>>Solaris geek level: noob++
    >>>Windows geek level: domainadmin- (cant change DCs or make schema
    >>>changes)
    >>>Krb geek level: user--
    >>>________________________________________________
    >>>Kerberos mailing list Kerberos@mit.edu
    >>>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>

    >>
    >>

    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Solaris 10 ssh logins + w2k3 AD native mode


    >Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
    >automagically login by Active Directory's kerb ticket (not hostkeys). I
    >have seen it working using Centrify ($) PAM mod on the Linux, and no
    >mods to windows box.


    As Wyllys points out, you need some way of retrieving nameservice
    information from Active Directory; this is the other piece of the
    puzzle.

    Commercial options include:

    - Centrify DirectControl
    - Vintela VAS
    - Services for UNIX with bundled NIS Server (or PADL gateway)

    Open source options include:

    - SAMBA winbindd
    - PADL nss_ldap
    - Solaris nss_ldap

    -- Luke

    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread