Solaris 9, pam.conf, ssh and Kerberos

From: Derek Diget (diget+sunmanagers@unix.cc.wmich.edu)
Date: Tue May 16 2006 - 18:11:19 EDT

• Next message: Bhavesh Shah: "SUMMARY: Metadevice issue"
• Previous message: tdiallo: "Live upgrade Solaris 9 to Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are struggling with getting native SSH/SSHd working with Kerberos
tickets and if one is not valid or present to prompt for a password.

I have a ticket open with Sun support, but it has been a week and not
much progress has been made. We have several deadlines that won't be
made unless we get this fixed ASAP.

Background:
ssh client and server are Solaris 9 SPARC 9/05 patched with the
9_Recommended patch set from last week.

client is using /usr/bin/ssh to connect to the server.
server is using /usr/lib/ssh/sshd.

Kerberos (SEAM) is properly configured and we are able to get a TGT.
We have rlogin, ftp, and rsh working only with a valid ticket is
presented to the server.

Since ssh does not have a separate "stanza" in the pam.conf it fails
through to the "other" service name. We also use the "native" LDAP
client for passwd and group nsswitch databases, but do not user LDAP for
authentication.

We have the following in pam.conf:

other auth sufficient pam_krb5.so.1 acceptor
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_krb5.so.1 use_first_pass

The above works too well. It lets users in that don't have a valid
ticket and does not ask for a password. It basicly lets anyone in.
Not what we want!

Does anyone have an "other" service name stanza from pam.conf that
accepts valid Kerberos tickets as sufficient, but if one is not
presented or is invalid, prompts the user for a password for use with
pam_unix_auth and/or pam_krb5?

TIA and will summarize.

--
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Bhavesh Shah: "SUMMARY: Metadevice issue"
• Previous message: tdiallo: "Live upgrade Solaris 9 to Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:39:53 EDT