OpenSSH public key problem with Solaris 10

Douglas E. Engert deengert at anl.gov
Sat Jul 1 01:55:35 EST 2006 

Erich Weiler wrote:

> Arrg.  Yup, I need Kerberos to work in this case.  Of course it works 
> when a password is entered, but the public key thing would be very nice. 
>   Annoyingly enough this works under linux (redhat/fedora).  I guess 
> Sun's kerberos PAM module is somewhat lacking in functionality.

The Solaris 10 sshd has a nice PAM feature, in that it
will use a different pam service name  depending on the auth used.
For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
The sshd_config can override these too.

Thus you can skip the pam_krb5 for pubkey.

OpenSSH might want to consider a similiar feature.


> 
> How annoying of Sun!
> 
> Thanks for the reply in any case.
> 
> Darren Tucker wrote:
> 
>>On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>>
>>>Hi ya'll-
>>>
>>>I've got this odd openssh problem with Solaris 10 I was hoping someone 
>>>could shed some light on.  Not sure if it is a bug... Basically I'm 
>>>trying to use pubkeys as an auth method, but am having issues.  I can 
>>>log in using passwords no problem, but as soon as it notices a matching 
>>>public key it closes the connection.  I ran the sshd server (on Solaris 
>>>10 box) in debug mode and got this output when I tried to log in:
>>
>>[...]
>>
>>>Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>>>debug1: restore_uid: 0/0
>>>debug1: ssh_rsa_verify: signature correct
>>>debug1: do_pam_account: called
>>>Access denied for user weiler by PAM account configuration
>>
>>[...]
>>
>>What's happening is that sshd is successfully authenticating via
>>public-key.
>>
>>It then tries to check the account status via PAM which fails, because you
>>have Kerberos modules in your PAM config but public-key authentication
>>does not provide the Kerberos credentials required for the module to
>>perform those checks, and thus it fails.
>>
>>If you don't use Kerberos then you can comment out the Kerberos account
>>(and probably session) modules.  (You might want to create a "sshd"
>>service in the PAM config specifically for it.)  If you do use Kerberos
>>then I'm not sure what your options are.
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list