OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Derek T. Yarnell (derekcs.umd.edu)
Date: Wed Feb 20 2002 - 11:14:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I am having trouble with this working, Is anyone on this list have any experience with it?

    The pam module that ships with Solaris 8 does the right thing and on the console I can get
    a login and a working tgt placed in the correct file in /tmp.

    (btw : using mit krb5-1.2.3/Solaris 8/Openssh 3.0.2p1)

    Now i have tried just openssh and openssh patched with the gss-api/krb5 patches.
    For just plain ssh i get logged in and then it kicks me out:

    Feb 20 12:10:46 tomax sshd[798]: [ID 705685 auth.debug] PAM-KRB5: pam_sm_authenticate
    Feb 20 12:10:46 tomax sshd[798]: [ID 729219 auth.debug] PAM-KRB5: pam_sm_auth prompting for password
    Feb 20 12:10:46 tomax sshd[798]: [ID 257133 auth.error] PAM-KRB5: no warning possible
    Feb 20 12:10:46 tomax sshd[798]: [ID 800047 auth.info] Accepted password for derek from 128.8.128.206 port 49183 ssh2
    Feb 20 12:10:46 tomax sshd[798]: [ID 390226 auth.error] PAM-KRB5:Could not obtain principal name
    Feb 20 12:10:46 tomax sshd[798]: [ID 833576 auth.debug] pam_setcred: error Permission denied
    Feb 20 12:10:46 tomax sshd[798]: [ID 174864 auth.debug] PAM-KRB5: krb5_cleanup pam_sm_auth_status(0)

    For the patched version i get logged in but no credendials are stored:
    Feb 20 12:10:17 tomax sshd[775]: [ID 800047 auth.info] Accepted password for derek from 128.8.128.206 port 49182 ssh2
    Feb 20 12:10:17 tomax sshd[777]: [ID 800047 auth.info] ssh_gssapi_do_child: Unknown mechanism

    pam.conf looks like :
    login auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass debug
    login auth required /usr/lib/security/$ISA/pam_unix.so.1
    login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
    sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass debug
    sshd auth required /usr/lib/security/$ISA/pam_unix.so.1

    which should be the same... but it works on the console..

    Anyone have any pointers? 

    -- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derekcs.umd.edu

    _______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list