OpenSSH public key problem with Solaris 10

Erich Weiler weiler at soe.ucsc.edu
Sat Jul 1 02:15:40 EST 2006 

Upon further investigation I discovered that the root of my problem 
actually lies with the fact that Solaris's pam_ldap module does not 
allow account information to be read without valid credentials.  It does 
not consider an ssh key auth to be a valid cred set, but it does 
consider a password to be (obviously).

Linux pam_ldap (or PADL pam_ldap) works fine, which is why this setup is 
working on my linux boxes.

This is apparently a documented issue and they are working on fixing it. 
  I'm bugging the Sun engineers about it now.  Turns out it has nothing 
to do with kerberos.  Thanks a million for replying in any case!

-erich

Douglas E. Engert wrote:
> Erich Weiler wrote:
> 
>> Arrg.  Yup, I need Kerberos to work in this case.  Of course it works 
>> when a password is entered, but the public key thing would be very 
>> nice.   Annoyingly enough this works under linux (redhat/fedora).  I 
>> guess Sun's kerberos PAM module is somewhat lacking in functionality.
> 
> The Solaris 10 sshd has a nice PAM feature, in that it
> will use a different pam service name  depending on the auth used.
> For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
> The sshd_config can override these too.
> 
> Thus you can skip the pam_krb5 for pubkey.
> 
> OpenSSH might want to consider a similiar feature.
> 
> 
>>
>> How annoying of Sun!
>>
>> Thanks for the reply in any case.
>>
>> Darren Tucker wrote:
>>
>>> On Fri, Jun 30, 2006 at 07:04:20AM -0700, Erich Weiler wrote:
>>>
>>>> Hi ya'll-
>>>>
>>>> I've got this odd openssh problem with Solaris 10 I was hoping 
>>>> someone could shed some light on.  Not sure if it is a bug... 
>>>> Basically I'm trying to use pubkeys as an auth method, but am having 
>>>> issues.  I can log in using passwords no problem, but as soon as it 
>>>> notices a matching public key it closes the connection.  I ran the 
>>>> sshd server (on Solaris 10 box) in debug mode and got this output 
>>>> when I tried to log in:
>>>
>>> [...]
>>>
>>>> Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
>>>> debug1: restore_uid: 0/0
>>>> debug1: ssh_rsa_verify: signature correct
>>>> debug1: do_pam_account: called
>>>> Access denied for user weiler by PAM account configuration
>>>
>>> [...]
>>>
>>> What's happening is that sshd is successfully authenticating via
>>> public-key.
>>>
>>> It then tries to check the account status via PAM which fails, 
>>> because you
>>> have Kerberos modules in your PAM config but public-key authentication
>>> does not provide the Kerberos credentials required for the module to
>>> perform those checks, and thus it fails.
>>>
>>> If you don't use Kerberos then you can comment out the Kerberos account
>>> (and probably session) modules.  (You might want to create a "sshd"
>>> service in the PAM config specifically for it.)  If you do use Kerberos
>>> then I'm not sure what your options are.
>>>
>>
>>
> 

-- 
===================================
Erich Weiler
UNIX Systems Administrator
School of Engineering
University of California Santa Cruz
weiler at soe.ucsc.edu
===================================

More information about the openssh-unix-dev mailing list