Solaris 10 ssh logins + w2k3 AD native mode

Barry Allard barry.allard at stanford.edu
Thu Mar 16 13:02:11 EST 2006 

Hi Wyllys,

Primary goal: Kerberize ssh keyboard interactive logins in 
enterprise-administration-friendly way.

Secondary objective #A: manage user authorization (who can login) 
through Active Directory instead of locally (hacking a bunch of text 
files for each new user). create home directory, etc.

Secondary objective #B: ssh (putty) from windows -> sol 10 box ... 
automagically login by Active Directory's kerb ticket (not hostkeys).  I 
have seen it working using Centrify ($) PAM mod on the Linux, and no 
mods to windows box.

Thanks,
Barry


Wyllys Ingersoll wrote:

> Barry Allard wrote:
>
>> Hi,
>>
>> This might have been answered in a previous post(s)...
>>
>> I'm trying to kerberize solaris 10 x86 sshd and create wiki scratch 
>> build
>> docs on it.  Specifically, I'd like to get kerberos working for
>> authenication, and LDAP/AD groups working for authorization.  Even 
>> better
>> would be to minimize admin tasks by not having to touch passwd, group,
>> keytab for every new user, just have PAM modules do it.
>>   
>
>
>
> The ssh that comes with Solaris 10 already has support for GSSAPI/KRB5 
> authentication.
>
> It's not clear to me what you are trying to do with PAM, though.  Can 
> you explain
> in a little more detail?
>
> thanks,
>    Wyllys
>
>
>
>> kinit works great
>>
>> ------------------- /etc/pam.conf -------------------------
>>
>> #
>> #ident  "@(#)pam.conf   1.28    04/04/21 SMI"
>> #
>> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
>> # Use is subject to license terms.
>> #
>> # PAM configuration
>> #
>> # Unless explicitly defined, all services use the modules
>> # defined in the "other" section.
>> #
>> # Modules are defined with relative pathnames, i.e., they are
>> # relative to /usr/lib/security/$ISA. Absolute path names, as
>> # present in this file in previous releases are still acceptable.
>> #
>> # Authentication management
>> #
>> # login service (explicit because of pam_dial_auth)
>> #
>> login   auth requisite          pam_authtok_get.so.1
>> login   auth required           pam_dhkeys.so.1
>> login   auth required           pam_unix_cred.so.1
>> login   auth required           pam_unix_auth.so.1
>> login   auth required           pam_dial_auth.so.1
>>
>>
>> # not sure about these... Kerb only would be fine, or Unix as fallback.
>> sshd-kbdint    auth requisite          pam_authtok_get.so.1
>> sshd-kbdint    auth required           pam_dhkeys.so.1
>> sshd-kbdint     auth required           pam_unix_cred.so.1
>> sshd-kbdint   auth sufficient         pam_krb5.so.1 use_first_pass debug
>> sshd-kbdint    auth optional         pam_unix_auth.so.1
>>
>> #
>> # rlogin service (explicit because of pam_rhost_auth)
>> #
>> rlogin  auth sufficient         pam_rhosts_auth.so.1
>> rlogin  auth requisite          pam_authtok_get.so.1
>> rlogin  auth required           pam_dhkeys.so.1
>> rlogin  auth required           pam_unix_cred.so.1
>> rlogin  auth required           pam_unix_auth.so.1
>> #
>> # Kerberized rlogin service
>> #
>> krlogin auth required           pam_unix_cred.so.1
>> krlogin auth binding            pam_krb5.so.1
>> krlogin auth required           pam_unix_auth.so.1
>> #
>> # rsh service (explicit because of pam_rhost_auth,
>> # and pam_unix_auth for meaningful pam_setcred)
>> #
>> rsh     auth sufficient         pam_rhosts_auth.so.1
>> rsh     auth required           pam_unix_cred.so.1
>> #
>> # Kerberized rsh service
>> #
>> krsh    auth required           pam_unix_cred.so.1
>> krsh    auth binding            pam_krb5.so.1
>> krsh    auth required           pam_unix_auth.so.1
>> #
>> # Kerberized telnet service
>> #
>> ktelnet auth required           pam_unix_cred.so.1
>> ktelnet auth binding            pam_krb5.so.1
>> ktelnet auth required           pam_unix_auth.so.1
>> #
>> # PPP service (explicit because of pam_dial_auth)
>> #
>> ppp     auth requisite          pam_authtok_get.so.1
>> ppp     auth required           pam_dhkeys.so.1
>> ppp     auth required           pam_unix_cred.so.1
>> ppp     auth required           pam_unix_auth.so.1
>> ppp     auth required           pam_dial_auth.so.1
>> #
>> # Default definitions for Authentication management
>> # Used when service name is not explicitly mentioned for authentication
>> #
>> other   auth requisite          pam_authtok_get.so.1
>> other   auth required           pam_dhkeys.so.1
>> other   auth required           pam_unix_cred.so.1
>> other   auth required           pam_unix_auth.so.1
>> #
>> # passwd command (explicit because of a different authentication module)
>> #
>> passwd  auth required           pam_passwd_auth.so.1
>> #
>> # cron service (explicit because of non-usage of pam_roles.so.1)
>> #
>> cron    account required        pam_unix_account.so.1
>> #
>> # Default definition for Account management
>> # Used when service name is not explicitly mentioned for account 
>> management
>> #
>> other   account requisite       pam_roles.so.1
>> other   account required        pam_unix_account.so.1
>> #
>> # Default definition for Session management
>> # Used when service name is not explicitly mentioned for session 
>> management
>> #
>> other   session sufficient      pam_krb5.so.1
>> other   session required        pam_unix_session.so.1
>> #
>> # Default definition for  Password management
>> # Used when service name is not explicitly mentioned for password 
>> management
>> #
>> other   password required       pam_dhkeys.so.1
>> other   password requisite      pam_authtok_get.so.1
>> other   password requisite      pam_authtok_check.so.1
>> other   password required       pam_authtok_store.so.1
>> #
>> # Support for Kerberos V5 authentication and example configurations can
>> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
>> #
>> # --- EXAMPLES not all that helpful :-(
>>
>> ------------------- /etc/krb5/krb5.conf -------------------
>>
>> [libdefaults]
>> default_realm = WIN.STANFORD.EDU
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = true
>> dns_lookup_kdc = false
>>
>> [realms]
>>
>> WIN.STANFORD.EDU = {
>> kdc = 171.64.7.177
>> admin_server = 171.64.7.177:88
>> }
>>
>> SOM.WIN.STANFORD.EDU = {
>> kdc = 171.64.7.171
>> admin_server = 171.64.7.171:88
>> }
>>
>> [domain_realm]
>> win.stanford.edu = WIN.STANFORD.EDU
>> .win.stanford.edu = WIN.STANFORD.EDU
>> som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>> .som.win.stanford.edu = SOM.WIN.STANFORD.EDU
>>
>> [appdefaults]
>>
>>         pam = {
>>                 debug = true
>>                 ticket_lifetime = 36000
>>                 renew_lifetime = 36000
>>                 forwardable = true
>>                 krb4_convert = false
>>         }
>>
>>         kinit = {
>>                 renewable = true
>>                 forwardable = true
>>                 proxiable = false
>>         }
>>
>>         login = {
>>                 krb5_get_tickets = true
>>         }
>>
>>
>>
>> Thanks,
>> Barry Allard
>> Stanford Med School
>> MedIRT
>>
>> Solaris geek level: noob++
>> Windows geek level: domainadmin- (cant change DCs or make schema 
>> changes)
>> Krb geek level:     user--
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos
>>   
>
>

More information about the Kerberos mailing list