[28674] in Kerberos
sshs ticket length issue
daemon@ATHENA.MIT.EDU (Edgecombe, Jason)
Tue Nov 6 16:41:13 2007
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 6 Nov 2007 16:28:37 -0500
Message-ID: <A01ABA2A211C644596549C5FF91C50E419C4E844@EXEVS02.its.uncc.edu>
From: "Edgecombe, Jason" <jwedgeco@uncc.edu>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Everyone,
I'm having ticket length issues with Kerberos.
I'm running OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005 on solaris 9
09/05HW with Kerberos 1.4 on the sshd box.
According to the KDC, I have a 3 day ticket length. When I login into
the console or telnet, I get my 3 day ticket. When I ssh into the
solaris machine without local tickets and use my password, then I get a
10 hour ticket and 10 hour AFS tokens. When I kinit, I get my 3-day
ticket & token. If I have a ticket on the local machine, then the ticket
forwarding works properly with the 3 day ticket length.
The main problem is that I don't get the proper ticket length when
ssh'ing into the solaris 9 machine using my password.
/etc/krb5.conf:
[appdefaults]
kinit = {
forwardable = true
noaddresses = true
}
[libdefaults]
forwardable = true
noaddresses = true
ticket_lifetime = 7d
default_realm = UNCC.EDU
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
...
Pertinent sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
PrintMotd no
Subsystem sftp /usr/local/ssh/libexec/sftp-server
X11Forwarding yes
UsePAM is not set and uses the default.
/etc/pam.conf snippet:
#login
login auth requisite pam_authtok_get.so.1
login auth optional pam_unix.so.1 use_first_pass
login auth optional pam_krb5.so.1 use_first_pass
login auth optional pam_aklog.so.1 ccache=/tmp/krb5cc_%u
# dtlogin
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth optional pam_unix.so.1 use_first_pass
dtlogin auth optional pam_krb5.so.1 use_first_pass
dtlogin auth optional pam_aklog.so.1 ccache=/tmp/krb5cc_%u
# dtsession
dtsession auth requisite pam_authtok_get.so.1
dtsession auth optional pam_unix.so.1 use_first_pass
dtsession auth optional pam_krb5.so.1 use_first_pass
# ssh
sshd auth requisite pam_authtok_get.so.1
sshd auth optional pam_unix.so.1 use_first_pass
sshd auth optional pam_krb5.so.1 use_first_pass
sshd auth optional pam_aklog.so.1 ccache=/tmp/krb5cc_%u
Thanks,
Jason
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
