OpenSSH public key problem with Solaris 10
Douglas E. Engert
deengert at anl.gov
Sat Jul 1 01:55:35 EST 2006
Erich Weiler wrote:
> Arrg. Yup, I need Kerberos to work in this case. Of course it works
> when a password is entered, but the public key thing would be very nice.
> Annoyingly enough this works under linux (redhat/fedora). I guess
> Sun's kerberos PAM module is somewhat lacking in functionality.
The Solaris 10 sshd has a nice PAM feature, in that it
will use a different pam service name depending on the auth used.
For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
The sshd_config can override these too.
Thus you can skip the pam_krb5 for pubkey.
OpenSSH might want to consider a similiar feature.
>
> How annoying of Sun!
>
> Thanks for the reply in any case.
>
> Darren Tucker wrote:
>
>>On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>>
>>>Hi ya'll-
>>>
>>>I've got this odd openssh problem with Solaris 10 I was hoping someone
>>>could shed some light on. Not sure if it is a bug... Basically I'm
>>>trying to use pubkeys as an auth method, but am having issues. I can
>>>log in using passwords no problem, but as soon as it notices a matching
>>>public key it closes the connection. I ran the sshd server (on Solaris
>>>10 box) in debug mode and got this output when I tried to log in:
>>
>>[...]
>>
>>>Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>>>debug1: restore_uid: 0/0
>>>debug1: ssh_rsa_verify: signature correct
>>>debug1: do_pam_account: called
>>>Access denied for user weiler by PAM account configuration
>>
>>[...]
>>
>>What's happening is that sshd is successfully authenticating via
>>public-key.
>>
>>It then tries to check the account status via PAM which fails, because you
>>have Kerberos modules in your PAM config but public-key authentication
>>does not provide the Kerberos credentials required for the module to
>>perform those checks, and thus it fails.
>>
>>If you don't use Kerberos then you can comment out the Kerberos account
>>(and probably session) modules. (You might want to create a "sshd"
>>service in the PAM config specifically for it.) If you do use Kerberos
>>then I'm not sure what your options are.
>>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list