[OpenAFS] MIT Kerberos V authentication with OpenAFS

Charles Clancy security@xauth.net
Wed, 6 Mar 2002 16:27:46 -0600 (CST)


> I have gotten with the shipped solaris 8 pam_krb5 module to log into
> the console with the appropriate ticket and such. But ssh does not
> want to do it. Anyone doing this? If so might I pick your brain on a
> few things?

Around version 2.9, OpenSSH stopped working with stock Solaris krb5 PAM.
I don't know why, and I haven't been motivated enough figure out why.
Someone on focus-sun@securityfocus.com reported similar behaviour a while
back, which verified it "wasn't just me".  If you go back to OpenSSH
2.5.1, you shouldn't have a problem.  I'm not sure if that version is
secure, however.  If you are familiar enough with PAM, it's not too hard
to trace the PAM client code in OpenSSH to find the point failure -- like
I said, I just haven't been motivated to do so.

The stock Solaris krb5 PAM has had some interesting problems.  At one
point, it would only authenticate people with 8 character or fewer
passwords.  A patch cluster about a year ago seemed to fix that problem.

I have yet to see the module work at all on 32-bit Solaris 8 machines.  I
had some Ultra 2's that prefer to not run the 64-bit version of Solaris,
because there's some exploit in the processor itself when running the
64-bit version of Solaris.  The command line utilities, kinit, et al,
worked fine -- it was just krb5 PAM.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy