OpenSSH public key problem with Solaris 10

Sat Jul 1 01:20:43 EST 2006

Arrg.  Yup, I need Kerberos to work in this case.  Of course it works 
when a password is entered, but the public key thing would be very nice. 
  Annoyingly enough this works under linux (redhat/fedora).  I guess 
Sun's kerberos PAM module is somewhat lacking in functionality.

How annoying of Sun!

Thanks for the reply in any case.

Darren Tucker wrote:
> On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>> Hi ya'll-
>>
>> I've got this odd openssh problem with Solaris 10 I was hoping someone 
>> could shed some light on.  Not sure if it is a bug... Basically I'm 
>> trying to use pubkeys as an auth method, but am having issues.  I can 
>> log in using passwords no problem, but as soon as it notices a matching 
>> public key it closes the connection.  I ran the sshd server (on Solaris 
>> 10 box) in debug mode and got this output when I tried to log in:
> [...]
>> Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>> debug1: restore_uid: 0/0
>> debug1: ssh_rsa_verify: signature correct
>> debug1: do_pam_account: called
>> Access denied for user weiler by PAM account configuration
> [...]
> 
> What's happening is that sshd is successfully authenticating via
> public-key.
> 
> It then tries to check the account status via PAM which fails, because you
> have Kerberos modules in your PAM config but public-key authentication
> does not provide the Kerberos credentials required for the module to
> perform those checks, and thus it fails.
> 
> If you don't use Kerberos then you can comment out the Kerberos account
> (and probably session) modules.  (You might want to create a "sshd"
> service in the PAM config specifically for it.)  If you do use Kerberos
> then I'm not sure what your options are.
> 

-- 
===================================
Erich Weiler
UNIX Systems Administrator
School of Engineering
University of California Santa Cruz
weiler at soe.ucsc.edu
===================================