On Tue, Mar 28, 2006 at 03:50:12PM -0600, Douglas E. Engert wrote: > Fletcher Cocquyt wrote: > > I have: > > 1) Placed my krb5.keytab in /etc/krb5/krb5.keytab: > > # klist -e -k /etc/krb5/krb5.keytab > > Keytab name: FILE:/etc/krb5/krb5.keytab > > KVNO Principal > > ---- > > -------------------------------------------------------------------------- > > 5 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > > Realms are usually uppercase. Is this the correct principal? How did you > create this keytab file?
And the hostnames in the principals are all lower case. > > 2) configured openssh via /etc/ssh/sshd_config > > UsePAM yes > > 3) configured /etc/pam.conf > > sshd auth sufficient pam_unix_auth.so.1 > > sshd auth required pam_krb5.so.1 debug > > 4) /etc/krb5/krb5.conf is the standard one from campus and includes: > > default_tgs_enctypes = des-cbc-crc > > default_tkt_enctypes = des-cbc-crc > > You may want to take these last two likes out, as it might be forcing to > only accept DES, even though the KDC and the client think it can do better. Perhaps you're running into: 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required > > > > I am currently getting SUCCESS on krb auth, then "bad encrytion type" in > > /var/adm/messages. > > > > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth): > > > > attempt_krb5_auth: start: user='fcocquyt' > > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth): > > > > attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS > > Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth): > > > > krb5_verify_init_creds failed: Bad encryption type Here the host took your username and password and got a TGT, then it got a service ticket and then it complained about a "bad" encryption type. What does klist -ke say? Can you send kadmin(1) getprinc output for the host's host principal? Is SUNWcry (supplemental crypto package, needed for AES w/ 256-bit keys) installed? You may be running into the CR listed above. > > I am almost ready to give up on Sun's pam_krb and kerberos > > DOn't give up on Solaris 10 yet, it works rather well with their sshand sshd. Thanks Doug. I agree :) BTW, password validation with Kerberos V is something you want, but in the case of ssh what you really want is to use Kerberos V for network authentication, not password validation. The way you do this is by first acquiring a TGT (via kinit(1) or at logon time via pam_krb5(5)) and then using the 'gssapi-keyex' and/or 'gssapi-with-mic' SSHv2 authentication methods. See sshd(1M), sshd_config(1M), krb5_auth_rules(5), etcetera. BTW, you can also use the [EMAIL PROTECTED] list for Solaris- and security-specific queries. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos