[24177] in Kerberos
Re: Solaris 9 Authentication
daemon@ATHENA.MIT.EDU (Michael Marziani)
Wed Jun 29 18:29:24 2005
Message-ID: <20050629222836.99615.qmail@web33202.mail.mud.yahoo.com>
Date: Wed, 29 Jun 2005 15:28:36 -0700 (PDT)
From: Michael Marziani <mdmarziani@yahoo.com>
To: Kerberos@mit.edu
In-Reply-To: <42C3157D.5020506@jpl.nasa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
"Decrypt integrity check" errors usually point to a keytab problem. Although
I'm somewhat unsure why you had to copy your kadm5.keytab from the master
server, you should have instead created keytabs for each host. In my setup (we
use Solaris 9 SEAM KDCs with Solaris 9 and Red Hat clients) for each ssh server
I want authenticating to the KDCs I simply log into kadmin from that host with
an admin principal, add a host principle for that server to the database, then
export a keytab containing the host pricipal.
On new host:
> kadmin -p <name>/admin
kadmin: addprinc -randkey host/<FQDN>
kadmin: ktadd host/<FQDN>
That should add the host service key to the default keytab on the system which
should be visible to pam_krb5.
Then adjust pam.conf to use pam_krb5 in the right places.
I'd feel strange moving my master kadm5.keytab to other servers, as I don't
think that's intended or necessary. The Kerberos FAQ subject 2.3 seems to back
this up:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#filesappserv
Best regards,
-Michael
--- scanell <scanell@jpl.nasa.gov> wrote:
> Since ssh authentication is taking place on the SUN server, I took a
> copy of the keytab file from the Master kerberos server and placed it
> place of the one created by running ktadd on hostA... now hostA has a
> copy of the kadm5.keytab from the Master server.
>
> Once I did this (and this was the same for the SLAVE Kerberos server),
> then pre-auth works and I was able to sign in to hostA from another
> Solaris box.
>
> Can anyone tell me why this works... I am presuming it has something to
> do with local authentication on hostA that requires the keytab file from
> the Master where the ticket was originally created and thus the keytab
> has the data necessary for decryption.
>
> Steve
>
> scanell wrote:
>
> > Configuration:
> > MIT Kerberos 1.4
> > Solaris 9 Master
> > Solaris 9, MAC OSX, & PC Clients
> > /usr/lib/ssh/sshd daemon using pam_krb5.so.1
> > Pre-Auth enabled
> >
> > Issue:
> > MAC and PC clients using ssh authenticate successfully against Solaris
> > 9 servers and Kerberos system.
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client host>
> > motd message
> > $
> >
> > Solaris 9 clients get the following error when using Kerberos
> > authentication:
> > ssh -l <username> <hostA>
> > <username>@<hostA> Password: <Enter Kerberos Password>
> > Permission denied, please try again.
> > <username>@<hostA> Password: <Enter Shadow Password>
> > Last login: Wed Jun 29 08:26:47 2005 from <client hostA>
> > motd message
> > $
> >
> > Master kdc.log:
> > Jun 29 08:43:55 <master kerberos server> krb5kdc[10062](info): AS_REQ
> > (2 etypes {3 1}) <hostA ip address> PREAUTH_FAILED: <username@REALM>
> > for krbtgt@REALM, Decrypt integrity check failed
> >
> > Steve
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
