[28413] in Kerberos
Re: Kerberos, Sun SSH and KRB5CCNAME on Solaris (10)
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Sep 17 10:44:16 2007
Message-ID: <46EE92A6.6030900@anl.gov>
Date: Mon, 17 Sep 2007 09:43:50 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Robert Sturrock <rns@unimelb.edu.au>
In-Reply-To: <20070917080859.GS2665@unimelb.edu.au>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Robert Sturrock wrote:
> Hello.
>
> I'm trying to configure a Solaris 10 server to allow kerberos-based
> logins with Sun's SSHD. I set "GSSAPIAuthentication yes" in
> the sshd_config. My pam.conf is displayed below.
>
> I _think_ this problem might have been the subject of discussion here:
>
> http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2006-08/msg00094.html
>
Yes, that would be me.
> .. which says in part:
>
> > The sshd does not set the KRB5CCNAME correctly either. We do this
> > with pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p (user and PID)
> > to get session based credentials if possible. Works from sshd-gssapi,
> > but not from dtlogin where we are stuck with user basede credentials.
>
> Do I need to setup pam_krb5_cache? If so, can someone please provide
> a pointer to this as it does not seem to be a standard Solaris 10 PAM
> module.
ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar There is a README,
and example pam.conf in there too.
>
> FYI, the ultimate objective here is to automatically get AFS tokens on
> login, but this is not working in all circumstances because
> pam-afs-session expects KRB5CCNAME to be set.
That was our goal too. We are using pam_afs2. pam_afs_session
should also work.
>
> Regards
>
> Robert Sturrock.
>
>
> ---
> #
> #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth binding pam_krb5.so.1
> krsh auth required pam_unix_auth.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_krb5.so.1
> other auth required pam_unix_auth.so.1
> other auth optional /usr/local/lib/security/pam_afs_session.so debug
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account required pam_krb5.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> other session required /usr/local/lib/security/pam_afs_session.so debug
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> other password optional pam_krb5.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> sshd auth sufficient pam_krb5.so.1 try_first_pass
> sshd auth required pam_unix_auth.so.1
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos