Re: OpenSSH public key problem with Solaris 10

Upon further investigation I discovered that the root of my problem
actually lies with the fact that Solaris's pam_ldap module does not
allow account information to be read without valid credentials. It does
not consider an ssh key auth to be a valid cred set, but it does
consider a password to be (obviously).

Linux pam_ldap (or PADL pam_ldap) works fine, which is why this setup is
working on my linux boxes.

This is apparently a documented issue and they are working on fixing it.
I'm bugging the Sun engineers about it now. Turns out it has nothing
to do with kerberos. Thanks a million for replying in any case!

-erich

Douglas E. Engert wrote:
> Erich Weiler wrote:
>
>> Arrg. Yup, I need Kerberos to work in this case. Of course it works
>> when a password is entered, but the public key thing would be very
>> nice. Annoyingly enough this works under linux (redhat/fedora). I
>> guess Sun's kerberos PAM module is somewhat lacking in functionality.
>
> The Solaris 10 sshd has a nice PAM feature, in that it
> will use a different pam service name depending on the auth used.
> For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
> The sshd_config can override these too.
>
> Thus you can skip the pam_krb5 for pubkey.
>
> OpenSSH might want to consider a similiar feature.
>
>
>>
>> How annoying of Sun!
>>
>> Thanks for the reply in any case.
>>
>> Darren Tucker wrote:
>>
>>> On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>>>
>>>> Hi ya'll-
>>>>
>>>> I've got this odd openssh problem with Solaris 10 I was hoping
>>>> someone could shed some light on. Not sure if it is a bug...
>>>> Basically I'm trying to use pubkeys as an auth method, but am having
>>>> issues. I can log in using passwords no problem, but as soon as it
>>>> notices a matching public key it closes the connection. I ran the
>>>> sshd server (on Solaris 10 box) in debug mode and got this output
>>>> when I tried to log in:
>>>
>>> [...]
>>>
>>>> Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>>>> debug1: restore_uid: 0/0
>>>> debug1: ssh_rsa_verify: signature correct
>>>> debug1: do_pam_account: called
>>>> Access denied for user weiler by PAM account configuration
>>>
>>> [...]
>>>
>>> What's happening is that sshd is successfully authenticating via
>>> public-key.
>>>
>>> It then tries to check the account status via PAM which fails,
>>> because you
>>> have Kerberos modules in your PAM config but public-key authentication
>>> does not provide the Kerberos credentials required for the module to
>>> perform those checks, and thus it fails.
>>>
>>> If you don't use Kerberos then you can comment out the Kerberos account
>>> (and probably session) modules. (You might want to create a "sshd"
>>> service in the PAM config specifically for it.) If you do use Kerberos
>>> then I'm not sure what your options are.
>>>
>>
>>
>

--
===================================
Erich Weiler
UNIX Systems Administrator
School of Engineering
University of California Santa Cruz
weiler@soe.ucsc.edu
===================================

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev