I had a look at sshd_config and saw this: # jblaine note: For some reason setting this to 'yes' does not work # with Solaris 10 sshd (not properly at least). PAMAuthenticationViaKBDInt no
Who knows why or when I put that in our master Solaris 10 pam.conf. Turning it on solves the problem. Thanks again, Russ. Jeff Blaine wrote: > Solaris 10 SPARC OS > Solaris 10 / Sun sshd > MIT Kerberos 1.7 > Russ Alberry's fantastic pam_krb5 3.15 linked to above > > Solaris 9 + MIT Kerberos + RA pam_krb5 works! > > RHELv5 with stock MIT Kerberos + RA pam_krb5 works! > > The setup above fails. > > On the client side, I merely see "Permission denied." > instead of being asked to change my expired password. > > If anyone has any ideas, I would love to hear them. > > % ssh cairo > jbla...@cairo's password: > Permission denied, please try again. > > # > # all krb5kdc.log info matching the timestamp > # > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jbla...@foo.com for > krbtgt/foo....@foo.com, Password has expired > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 > ses=16}, jbla...@foo.com for kadmin/chang...@foo.com > > > # > # all *.debug syslog info matching the timestamp > # > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: attempting authentication as jbla...@foo.com > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: krb5_get_init_creds_password: Generic error (see e-text) > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: pam_sm_authenticate: exit (failure) > Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed > password for jblaine from xxx.xx.xx.xxx port 36735 ssh2 > > # > # /etc/pam.conf > # > sshd-password auth requisite pam_authtok_get.so.1 > sshd-password auth sufficient pam_krb5RA.so try_first_pass forwardable > minimum_uid=92 debug > sshd-password auth required pam_unix_auth.so.1 > sshd-password auth required pam_unix_cred.so.1 > sshd-password auth optional pam_afs_session.so minimum_uid=92 debug > sshd-password session optional pam_krb5RA.so minimum_uid=92 debug > sshd-password session optional pam_afs_session.so minimum_uid=92 debug > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos