Douglas E. Engert wrote: > Jeff Blaine wrote: >> Does anyone have a guess as to what I am doing wrong? >> >> MIT Kerberos 1.5.1 > > Where is MIT Kerberos 1.5.1 used in this?
The KDC. > You say you are using the Solaris sshd, and since the > pam.conf file does not give a path for the pam_krb5 > it would use the Solaris version in /usr/lib/secrity/pam_krb5.so > which would use the Solaris version of Kerberos. That's the only version on disk. I have no other pam_krb5. > I assume you are trying to use a pam_krb5 which will use > the MIT Kerberos 1.5.1? Note the the e-types in the request > below are (3 1) which are both DES. That's a separate issue I don't want to address just yet. >> >> Solaris 9 OEM SSH (latest patch cluster) with >> 'PAMAuthenticationViaKBDInt yes' and a pam.conf >> as such (which clearly gets hit): >> >> # Start pam.conf snippet >> sshd-kbdint auth requisite pam_authtok_get.so.1 >> sshd-kbdint auth required pam_dhkeys.so.1 >> sshd-kbdint auth sufficient pam_krb5.so.1 debug try_first_pass >> sshd-kbdint auth required pam_unix_auth.so.1 >> # End of pam.conf snippet >> >> adm # ssh -vvv -l jblaine test.foo.com >> ... >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug2: input_userauth_info_req >> debug2: input_userauth_info_req: num_prompts 1 >> Password: >> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) >> Connection closed by 192.168.168.100 >> debug1: Calling cleanup 0x47d2c(0x0) >> adm # >> >> debug.log: >> >> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 655841 auth.debug] >> PAM-KRB5 (auth): pam_sm_authenticate flags=0 >> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 549540 auth.debug] >> PAM-KRB5 (auth): attempt_krb5_auth: start: user='jblaine' >> Jan 9 20:04:13 test.foo.com sshd[462]: [ID 179272 auth.debug] >> PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password >> returns: SUCCESS >> >> krb5kdc.log: >> >> Jan 09 20:04:13 test.foo.com krb5kdc[445](info): AS_REQ (2 etypes >> {3 1}) 192.168.168.100: ISSUE: authtime 1168391053, etypes {rep=3 >> tkt=16 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos