Andrea wrote: > On 7 Feb, 20:37, "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: >> Andrea wrote: >>> Hi all, >>> I'm experiencing some problem on kerberizing ssh on Solaris 9 with MIT >>> Kerberos, >>> I have the following setting: >>> 1. Sun Solaris 5.9 >>> 2. MIT Kerberos KDC 1.6.3 ( I use just the kdc from the MIT Kerberos) >>> 3. On Kerberos client side I used the one from Solaris from the >>> following packet: SUNWkrbu >>> 4. Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f >> I don't believe the Solars 9 sshd supports GSSAPI which is what you >> are looking for. On Solaris 9 we use OpenSSH and the MIT Kerberos. >> (/usr/bin/ldd /usr/lib/ssh/sshd does not show any Kerberos or gssapi libs.) >> > If i type ldd /usr/lib/ssh/sshd I obtain following result: > > [EMAIL PROTECTED] # ldd /usr/lib/ssh/sshd > libsocket.so.1 => /usr/lib/libsocket.so.1 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libz.so.1 => /usr/lib/libz.so.1 > libpam.so.1 => /usr/lib/libpam.so.1 > libbsm.so.1 => /usr/lib/libbsm.so.1 > libwrap.so.1 => /usr/sfw/lib/libwrap.so.1 > libmd5.so.1 => /usr/lib/libmd5.so.1 > libcmd.so.1 => /usr/lib/libcmd.so.1 > libgss.so.1 => /usr/lib/libgss.so.1 > libc.so.1 => /usr/lib/libc.so.1 > libdl.so.1 => /usr/lib/libdl.so.1 > libmp.so.2 => /usr/lib/libmp.so.2 > libxfn.so.2 => /usr/lib/libxfn.so.2 > /usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1 > /usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1 > And then I investigate about how ssh call the library libgss (with > truss) and seems that ssh through libgss tries to obtain the ticket > credential, this is part of the truss command launched as follow truss > -u mech_krb5,libgss:: ssh [EMAIL PROTECTED]: > > -> libgss:gss_acquire_cred(0xffbff660, 0x0, 0x0, 0x116938) > open("/var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT open("/ > var/run/rpc_door/rpc_100029.1", O_RDONLY) Err#2 ENOENT > > getuid() = 0 [0] > open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT > open("/tmp/krb5cc_0", O_RDONLY) Err#2 ENOENT > <- libgss:gss_acquire_cred() = 0x70000 > > It seems that this ssh supports in such a way GSS-API.
I stand corrected, it looks like it does support GSSAPI. > > Any further suggestions?? As root run another server in the forground: /usr/lib/ssh/sshd -ddd -p 2222 The on a client, as a user (not root) with tickets: /usr/bin/ssh -vvv -p 2222 hostname > > Thanks for the precious suggesstions. > > Bye > >> But On Solairs 10, The Sun ssh/sshd does support GSSAPI, and works >> well with GSSAPI using the Sun Kerberos. >> >> >> >> >> >>> This is my pam.conf: >>> # PAM configuration >>> # >>> # Customized to try pam_unix, then pam_krb5 >>> # >>> # Unless explicitly defined, all services use the modules >>> # defined in the "other" section. >>> # >>> # Modules are defined with relative pathnames, i.e., they are >>> # relative to /usr/lib/security/$ISA. Absolute path names, as >>> # present in this file in previous releases are still acceptable. >>> # >>> # Authentication >>> # >>> # passwd command (explicit because of a different authentication >>> module) >>> # >>> passwd auth required pam_passwd_auth.so.1 >>> # >>> # Default definition for Authentication management >>> # Used when service name is not explicitly mentioned for >>> authentication >>> # management >>> # >>> other auth requisite pam_authtok_get.so.1 >>> other auth sufficient pam_unix_auth.so.1 >>> other auth required pam_krb5.so.1 use_first_pass debug >>> # >>> # Account >>> # >>> # cron service (explicit because of non-usage of pam_roles.so.1) >>> # >>> cron account required pam_projects.so.1 >>> cron account required pam_unix_account.so.1 >>> # See notes about pam_krb5 in "other" section below >>> cron account optional pam_krb5.so.1 debug >>> # >>> # Default definition for Account management >>> # Used when service name is not explicitly mentioned for account >>> management >>> # >>> other account requisite pam_roles.so.1 >>> other account required pam_projects.so.1 >>> other account required pam_unix_account.so.1 >>> # According to the pam_krb5 man page, this checks for password >>> expiration. >>> # I'm not sure this does anything since I've flagged it as optional. >>> # I'm not sure if I can make it required because of root. >>> other account optional pam_krb5.so.1 debug >>> # >>> # Session >>> # >>> # Default definition for Session management >>> # Used when service name is not explicitly mentioned for session >>> management >>> # >>> other session optional pam_krb5.so.1 debug >>> other session required pam_unix_session.so.1 >>> # >>> # Password >>> # >>> # (Don't list pam_krb5 here, this section is only for root. Regular >>> # users must use the centralized department password changing >>> mechanism.) >>> # >>> # Default definition for Password management >>> # Used when service name is not explicitly mentioned for password >>> management >>> # >>> other password requisite pam_authtok_get.so.1 >>> other password requisite pam_authtok_check.so.1 >>> other password required pam_authtok_store.so.1 >>> # >>> I can ssh into the machine using the password from kerberos, when I >>> let in I have the two tickets (TGT and TGS), but if I try to ssh on >>> the same machine I have to retype the password, hence single sign on >>> seems not working. >>> Anyone can suggest me where am i wrong??? >>> Is the pam.conf correct? >>> Does native Solaris ssh supports well gssapi delegation credentials?? >> It does on Solaris 10! >> >> >> >>> My goal is to obtain single sign on with as much as possible native >>> solaris tool, with just an exception use MIT KERBEROS KDC SERVER! >> We do that on Solaris 10 but using Windows AD as the KDC. >> >> >> >>> Thanks in advance! >>> ________________________________________________ >>> Kerberos mailing list [EMAIL PROTECTED] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> -- >> >> Douglas E. Engert <[EMAIL PROTECTED]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos