Re: OpenSSH public key problem with Solaris 10

This is a discussion on Re: OpenSSH public key problem with Solaris 10 within the OpenSSH Development forums, part of the Networking and Network Related category; Erich Weiler wrote: > Arrg. Yup, I need Kerberos to work in this case. Of course it works > when ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: OpenSSH public key problem with Solaris 10

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-30-2006
Douglas E. Engert
 
Posts: n/a
Default Re: OpenSSH public key problem with Solaris 10
Erich Weiler wrote:

> Arrg. Yup, I need Kerberos to work in this case. Of course it works
> when a password is entered, but the public key thing would be very nice.
> Annoyingly enough this works under linux (redhat/fedora). I guess
> Sun's kerberos PAM module is somewhat lacking in functionality.

The Solaris 10 sshd has a nice PAM feature, in that it
will use a different pam service name depending on the auth used.
For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
The sshd_config can override these too.

Thus you can skip the pam_krb5 for pubkey.

OpenSSH might want to consider a similiar feature.


>
> How annoying of Sun!
>
> Thanks for the reply in any case.
>
> Darren Tucker wrote:
>
>>On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>>
>>>Hi ya'll-
>>>
>>>I've got this odd openssh problem with Solaris 10 I was hoping someone
>>>could shed some light on. Not sure if it is a bug... Basically I'm
>>>trying to use pubkeys as an auth method, but am having issues. I can
>>>log in using passwords no problem, but as soon as it notices a matching
>>>public key it closes the connection. I ran the sshd server (on Solaris
>>>10 box) in debug mode and got this output when I tried to log in:
>>
>>[...]
>>
>>>Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>>>debug1: restore_uid: 0/0
>>>debug1: ssh_rsa_verify: signature correct
>>>debug1: do_pam_account: called
>>>Access denied for user weiler by PAM account configuration
>>
>>[...]
>>
>>What's happening is that sshd is successfully authenticating via
>>public-key.
>>
>>It then tries to check the account status via PAM which fails, because you
>>have Kerberos modules in your PAM config but public-key authentication
>>does not provide the Kerberos credentials required for the module to
>>perform those checks, and thus it fails.
>>
>>If you don't use Kerberos then you can comment out the Kerberos account
>>(and probably session) modules. (You might want to create a "sshd"
>>service in the PAM config specifically for it.) If you do use Kerberos
>>then I'm not sure what your options are.
>>
>
>

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:31 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0