[24175] in Kerberos
Re: Solaris 9 Authentication
daemon@ATHENA.MIT.EDU (scanell)
Wed Jun 29 17:42:03 2005
Message-ID: <42C3157D.5020506@jpl.nasa.gov>
Date: Wed, 29 Jun 2005 14:41:17 -0700
From: scanell <scanell@jpl.nasa.gov>
MIME-Version: 1.0
To: Kerberos@mit.edu
In-Reply-To: <42C2C990.4020002@jpl.nasa.gov>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Since ssh authentication is taking place on the SUN server, I took a
copy of the keytab file from the Master kerberos server and placed it
place of the one created by running ktadd on hostA... now hostA has a
copy of the kadm5.keytab from the Master server.
Once I did this (and this was the same for the SLAVE Kerberos server),
then pre-auth works and I was able to sign in to hostA from another
Solaris box.
Can anyone tell me why this works... I am presuming it has something to
do with local authentication on hostA that requires the keytab file from
the Master where the ticket was originally created and thus the keytab
has the data necessary for decryption.
Steve
scanell wrote:
> Configuration:
> MIT Kerberos 1.4
> Solaris 9 Master
> Solaris 9, MAC OSX, & PC Clients
> /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> Pre-Auth enabled
>
> Issue:
> MAC and PC clients using ssh authenticate successfully against Solaris
> 9 servers and Kerberos system.
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client host>
> motd message
> $
>
> Solaris 9 clients get the following error when using Kerberos
> authentication:
> ssh -l <username> <hostA>
> <username>@<hostA> Password: <Enter Kerberos Password>
> Permission denied, please try again.
> <username>@<hostA> Password: <Enter Shadow Password>
> Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> motd message
> $
>
> Master kdc.log:
> Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ
> (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username@REALM>
> for krbtgt@REALM, Decrypt integrity check failed
>
> Steve
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
