Re: Solaris 9 latest OEM SSH + pam_krb5.so.1 - Kerberos

This is a discussion on Re: Solaris 9 latest OEM SSH + pam_krb5.so.1 - Kerberos ; Jeff Blaine writes: > Does anyone have a guess as to what I am doing wrong? > MIT Kerberos 1.5.1 > Solaris 9 OEM SSH (latest patch cluster) with > 'PAMAuthenticationViaKBDInt yes' and a pam.conf > as such (which clearly ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Solaris 9 latest OEM SSH + pam_krb5.so.1

  1. Re: Solaris 9 latest OEM SSH + pam_krb5.so.1

    Jeff Blaine writes:

    > Does anyone have a guess as to what I am doing wrong?


    > MIT Kerberos 1.5.1


    > Solaris 9 OEM SSH (latest patch cluster) with
    > 'PAMAuthenticationViaKBDInt yes' and a pam.conf
    > as such (which clearly gets hit):


    > # Start pam.conf snippet
    > sshd-kbdint auth requisite pam_authtok_get.so.1
    > sshd-kbdint auth required pam_dhkeys.so.1
    > sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
    > sshd-kbdint auth required pam_unix_auth.so.1
    > # End of pam.conf snippet


    > adm # ssh -vvv -l jblaine test.foo.com
    > ...
    > debug1: Next authentication method: keyboard-interactive
    > debug2: userauth_kbdint
    > debug2: we sent a keyboard-interactive packet, wait for reply
    > debug2: input_userauth_info_req
    > debug2: input_userauth_info_req: num_prompts 1
    > Password:
    > debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
    > Connection closed by 192.168.168.100
    > debug1: Calling cleanup 0x47d2c(0x0)
    > adm #


    This may be obvious, but does the account jblaine exist on the system? It
    has to be provided by an nsswitch provider, or sshd will always reject
    logins to that account regardless of whether it passes a PAM
    authentication check.

    Also, note that unless the account exists in /etc/shadow (even if you're
    not using local passwords), the Unix PAM account module will reject the
    login at least in Solaris 8.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 9 latest OEM SSH + pam_krb5.so.1

    > This may be obvious, but does the account jblaine exist on the system? It
    > has to be provided by an nsswitch provider, or sshd will always reject
    > logins to that account regardless of whether it passes a PAM
    > authentication check.


    Yes, the account exists. I am able to telnet in fine as jblaine.

    > Also, note that unless the account exists in /etc/shadow (even if you're
    > not using local passwords), the Unix PAM account module will reject the
    > login at least in Solaris 8.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 9 latest OEM SSH + pam_krb5.so.1

    I just want to cap this thread off properly for anyone
    stumbling across this later.

    No solution was found.

    Truss shows the following:

    ....reading krb5.keytab from FD 7... then...
    7054: lseek(7, 268, SEEK_SET) = 268
    7054: lseek(7, 0, SEEK_CUR) = 268
    7054: llseek(7, 0, SEEK_CUR) = 268
    7054: read(7, 0xFF13FCE4, 1) = 0
    7054: llseek(7, 0, SEEK_CUR) = 268
    7054: fcntl(7, F_SETLKW, 0xFFBFA794) = 0
    7054: close(7) = 0
    7054: Incurred fault #5, FLTACCESS %pc = 0xFEF60838
    7054: siginfo: SIGBUS BUS_ADRALN addr=0x00000017
    7054: Received signal #10, SIGBUS [default]
    7054: siginfo: SIGBUS BUS_ADRALN addr=0x00000017
    505: Received signal #18, SIGCLD, in poll() [caught]
    505: siginfo: SIGCLD CLD_DUMPED pid=7054 status=0x000A

    Russ Allbery wrote:
    > Jeff Blaine writes:
    >
    >> Does anyone have a guess as to what I am doing wrong?

    >
    >> MIT Kerberos 1.5.1

    >
    >> Solaris 9 OEM SSH (latest patch cluster) with
    >> 'PAMAuthenticationViaKBDInt yes' and a pam.conf
    >> as such (which clearly gets hit):

    >
    >> # Start pam.conf snippet
    >> sshd-kbdint auth requisite pam_authtok_get.so.1
    >> sshd-kbdint auth required pam_dhkeys.so.1
    >> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass
    >> sshd-kbdint auth required pam_unix_auth.so.1
    >> # End of pam.conf snippet

    >
    >> adm # ssh -vvv -l jblaine test.foo.com
    >> ...
    >> debug1: Next authentication method: keyboard-interactive
    >> debug2: userauth_kbdint
    >> debug2: we sent a keyboard-interactive packet, wait for reply
    >> debug2: input_userauth_info_req
    >> debug2: input_userauth_info_req: num_prompts 1
    >> Password:
    >> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
    >> Connection closed by 192.168.168.100
    >> debug1: Calling cleanup 0x47d2c(0x0)
    >> adm #

    >
    > This may be obvious, but does the account jblaine exist on the system? It
    > has to be provided by an nsswitch provider, or sshd will always reject
    > logins to that account regardless of whether it passes a PAM
    > authentication check.
    >
    > Also, note that unless the account exists in /etc/shadow (even if you're
    > not using local passwords), the Unix PAM account module will reject the
    > login at least in Solaris 8.
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread