Re: Kerberos MIT SSH Solaris 9



Andrea wrote:
On 7 Feb, 20:37, "Douglas E. Engert" <deeng...@xxxxxxx> wrote:
Andrea wrote:
Hi all,
I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT
Kerberos,
I have the following setting:
1. Sun Solaris 5.9
2. MIT Kerberos KDC 1.6.3 ( I use just the kdc from the MIT Kerberos)
3. On Kerberos client side I used the one from Solaris from the
following packet: SUNWkrbu
4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
I don't believe the Solars 9 sshd supports GSSAPI which is what you
are looking for. On Solaris 9 we use OpenSSH and the MIT Kerberos.
(/usr/bin/ldd /usr/lib/ssh/sshd does not show any Kerberos or gssapi libs.)

If i type ldd /usr/lib/ssh/sshd I obtain following result:

root@colcascms # ldd /usr/lib/ssh/sshd
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libz.so.1 => /usr/lib/libz.so.1
libpam.so.1 => /usr/lib/libpam.so.1
libbsm.so.1 => /usr/lib/libbsm.so.1
libwrap.so.1 => /usr/sfw/lib/libwrap.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libgss.so.1 => /usr/lib/libgss.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libxfn.so.2 => /usr/lib/libxfn.so.2
/usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1
/usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
And then I investigate about how ssh call the library libgss (with
truss) and seems that ssh through libgss tries to obtain the ticket
credential, this is part of the truss command launched as follow truss
-u mech_krb5,libgss:: ssh user@hostaname:

-> libgss:gss_acquire_cred(0xffbff660, 0x0, 0x0, 0x116938)
open("/var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT open("/
var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT

getuid() = 0 [0]
open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT
open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT
<- libgss:gss_acquire_cred() = 0x70000

It seems that this ssh supports in such a way GSS-API.

I stand corrected, it looks like it does support GSSAPI.


Any further suggestions??

As root run another server in the forground:

/usr/lib/ssh/sshd -ddd -p 2222

The on a client, as a user (not root) with tickets:

/usr/bin/ssh -vvv -p 2222 hostname


Thanks for the precious suggesstions.

Bye

But On Solairs 10, The Sun ssh/sshd does support GSSAPI, and works
well with GSSAPI using the Sun Kerberos.





This is my pam.conf:
# PAM configuration
#
# Customized to try pam_unix, then pam_krb5
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication
#
# passwd command (explicit because of a different authentication
module)
#
passwd auth required pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for
authentication
# management
#
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass debug
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# See notes about pam_krb5 in "other" section below
cron account optional pam_krb5.so.1 debug
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password
expiration.
# I'm not sure this does anything since I've flagged it as optional.
# I'm not sure if I can make it required because of root.
other account optional pam_krb5.so.1 debug
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session optional pam_krb5.so.1 debug
other session required pam_unix_session.so.1
#
# Password
#
# (Don't list pam_krb5 here, this section is only for root. Regular
# users must use the centralized department password changing
mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
I can ssh into the machine using the password from kerberos, when I
let in I have the two tickets (TGT and TGS), but if I try to ssh on
the same machine I have to retype the password, hence single sign on
seems not working.
Anyone can suggest me where am i wrong???
Is the pam.conf correct?
Does native Solaris ssh supports well gssapi delegation credentials??
It does on Solaris 10!



My goal is to obtain single sign on with as much as possible native
solaris tool, with just an exception use MIT KERBEROS KDC SERVER!
We do that on Solaris 10 but using Windows AD as the KDC.



Thanks in advance!
________________________________________________
Kerberos mailing list Kerbe...@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--

Douglas E. Engert <DEEng...@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos



--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.

Relevant Pages

  • Re: Kerberos MIT SSH Solaris 9
    ... I don't believe the Solars 9 sshd supports GSSAPI which is what you ... And then I investigate about how ssh call the library libgss (with ... # Default definition for Authentication management ... Does native Solaris ssh supports well gssapi delegation credentials?? ...
    (comp.protocols.kerberos)
  • SOLARIS 9 MIT KERBEROS SSH
    ... I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT ... MIT Kerberos KDC 1.6.3 ... # Default definition for Authentication management ...
    (comp.unix.solaris)
  • Kerberos MIT SSH Solaris 9
    ... I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT ... MIT Kerberos KDC 1.6.3 ... # Default definition for Authentication management ...
    (comp.protocols.kerberos)
  • Re: Kerberos MIT SSH Solaris 9
    ... I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT ... MIT Kerberos KDC 1.6.3 ... # Default definition for Authentication management ...
    (comp.protocols.kerberos)
  • server securing issues
    ... have done some securing on my solaris server and ... Information about the remote host: ... Port ssh ... An SSH server is running on this port. ...
    (SunManagers)