GSSAPI-Kerberos on Sol-9: which pam.conf entries to auth via Kerberos only, only for SSH

From: rob.de.langhe@belgacom.be
Date: Mon Nov 21 2005 - 06:23:38 EST

• Next message: John Birtley: "scp/ssh hangs"
• Previous message: Henrik Møller Pedersen: "SUMMARY: Howto grow ufs filesystem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

we want to find out what entries to put in the /etc/pam.conf to have
this behaviour: we want to block all network login methods except SSH.
The only alternative method to get into the machine will be via console
for system troubleshooting.

With SSH, a user should be authenticated ONLY via Kerberos. Login
information will be retrieved either from local files or via LDAP.

Console-login should be authenticated NOT via Kerberos, but via the
local files (/etc/shadow, /etc/passwd). This should prevent that "root"
login (always supposed to go via console-only) is authenticated via a
"root" entry in the distant Kerberos server...

Solaris is 9, so we use the GSSAPI for Kerberos.

I can already succesfully perform a "kinit $someuser", so the
communications with the Kerberos servers go fine.

I currently have this in my pam.conf :

sshd auth required pam_authtok_get.so.1
sshd auth required pam_krb5.so.1 try_first_pass debug

sshd account requisite pam_roles.so.1
sshd account required pam_projects.so.1
sshd account sufficient pam_krb5.so.1 debug
sshd account required pam_unix_account.so.1

sshd session required pam_unix_session.so.1

cron account required pam_projects.so.1
cron account required pam_unix_account.so.1

passwd auth required pam_passwd_auth.so.1

other auth required pam_authtok_get.so.1
other auth required pam_unix_auth.so.1

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1

other session required pam_unix_session.so.1

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

However, this fails with the message on the console from the krb
library:

[date/time] sshd: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key
table entry not found

Anyone with suggestions ?

thx a lot in advance !

Rob

**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: John Birtley: "scp/ssh hangs"
• Previous message: Henrik Møller Pedersen: "SUMMARY: Howto grow ufs filesystem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:37:02 EDT