HPE Community
Operating System - HP-UX
1827452 Members
4051 Online
109965 Solutions
New Discussion

SSH & Kerberos woes

 
UxBoD
Frequent Advisor

‎10-25-2007 08:49 PM

‎10-25-2007 08:49 PM

SSH & Kerberos woes

Hi,

I have just built a 11.23 PA-RISC system for upgrade testing but having real issues in getting SSH to play nicely with Kerberos. We are authenticating against a Win2K3 AD which is working fine for normal users, but for root and a couple of application accounts I have setup pam_user.conf to use libpam_unix but it seems to be ignored.

Here are the configuration files :-

pam.conf
--------
login auth required /usr/lib/security/$ISA/libpam_updbe.so.1
login auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass
su auth required libpam_unix.so.1
dtlogin auth required libpam_hpsec.so.1
dtlogin auth required libpam_unix.so.1
dtaction auth required libpam_hpsec.so.1
dtaction auth required libpam_unix.so.1
ftp auth required libpam_hpsec.so.1
ftp auth required libpam_unix.so.1
rcomds auth required libpam_hpsec.so.1
rcomds auth required libpam_unix.so.1
sshd auth required libpam_updbe.so.1
sshd auth sufficient libpam_krb5.so.1 debug
sshd auth required libpam_unix.so.1 debug try_first_pass
OTHER auth required libpam_unix.so.1

pam_user.conf
-------------
root auth /usr/lib/security/$ISA/libpam_unix.so.1
root password /usr/lib/security/$ISA/libpam_unix.so.1

pamkrbval -v -a pa64
--------------------
Validating the pam configuration files
---------- --- --- ------------- -----

Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed


Validating the /etc/pam_user.conf file
[LOG] : The /etc/pam_user.conf files permissions are fine
[LOG] : Opened : /etc/pam_user.conf

[PASS] : The validation of config file: /etc/pam_user.conf passed

Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

Connecting to default Realm
---------- -- ------- -----
[LOG] : The default realm is : FLEXNET.FLEXSYS.COM
[LOG] : KDC hosts for realm FLEXNET.FLEXSYS.COM :ruadc001.flexnet.flexsys.com
[LOG] : Trying to contact KDC for realm FLEXNET.FLEXSYS.COM...
[LOG] : Realm FLEXNET.FLEXSYS.COM is answering ticket requests
[PASS] : Default Realm is issuing tickets

Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host upgrade, aka upgrade.flexnet.flexsys.com.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
[LOG] : Key table entry not found while getting the keytab entry from /etc/krb5.keytab , Assuming Success
[PASS] : The keytab validation is successful

What I have noticed is the following in /var/adm/syslog/syslog :-

Oct 26 09:38:08 upgrade sshd[15265]: load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Oct 26 09:44:03 upgrade sshd[15303]: error: PAM: Shared object load failure for root from 10.7.152.245
Oct 26 09:44:05 upgrade sshd[15303]: Failed password for root from 10.7.152.245 port 47020 ssh2

The version of OpenSSH I am using is :-

T1471AA A.04.50.010 HP-UX Secure Shell

Any help would be well received.
0 Kudos
Reply
4 REPLIES 4
F Verschuren
Esteemed Contributor

‎10-25-2007 08:59 PM

‎10-25-2007 08:59 PM

Re: SSH & Kerberos woes

a lot of tekst and a lot of potential solutions...

first guess:
cd /usr/lib/security/pa20_64/
create link
libpam_krb5.so.1 -> ./libpam_krb5.1

nlscux75:nl11588> ll /usr/lib/security/pa20_64/
total 1360
-r-xr-xr-x 1 root bin 79768 Aug 2 2004 libpam_dce.1
-r-xr-xr-x 1 root bin 79768 Aug 2 2004 libpam_dce.so.1
-r-xr-xr-x 1 root sys 59632 Oct 14 2005 libpam_hpsec.1
lrwxr-xr-x 1 root sys 16 Nov 16 2006 libpam_hpsec.so.1 -> ./libpam_hpsec.1
-r-xr-xr-x 1 root sys 219784 May 20 2004 libpam_krb5.1
lrwxr-xr-x 1 root sys 15 Jun 29 2006 libpam_krb5.so.1 -> ./libpam_krb5.1
lrwxr-xr-x 1 root sys 45 Jun 29 2006 libpam_ntlm.1 -> /opt/cifsclient/pam/lib/pa20_64/libpam_ntlm.1
lrwxr-xr-x 1 root sys 45 Jun 29 2006 libpam_ntlm.so.1 -> /opt/cifsclient/pam/lib/pa20_64/libpam_ntlm.1
-r-xr-xr-x 1 root sys 225032 Jun 1 2006 libpam_unix.1
lrwxr-xr-x 1 root sys 15 Jun 17 12:02 libpam_unix.so.1 -> ./libpam_unix.1
-r-xr-xr-x 1 root sys 14592 Aug 27 2004 libpam_updbe.1
lrwxr-xr-x 1 root sys 16 Jun 29 2006 libpam_updbe.so.1 -> ./libpam_updbe.1
nlscux75:nl11588>

second, please see swlist for instalation of the folowing:
nlscux75:nl11588> swlist -l file |grep libpam_krb5
PAM-Kerberos.PAM-KRB-64SLIB: /usr/lib/security/pa20_64/libpam_krb5.1
PAM-Kerberos.PAM-KRB-64SLIB: /usr/lib/security/pa20_64/libpam_krb5.so.1
PAM-Kerberos.PAM-KRB-I64LIB: /usr/lib/security/hpux64/libpam_krb5.so.1
PAM-Kerberos.PAM-KRB-IASLIB: /usr/lib/security/hpux32/libpam_krb5.so.1
PAM-Kerberos.PAM-KRB-SHLIB: /usr/lib/security/libpam_krb5.1
PAM-Kerberos.PAM-KRB-SHLIB: /usr/lib/security/libpam_krb5.so.1
nlscux75:nl11588>
0 Kudos
Reply
UxBoD
Frequent Advisor

‎10-25-2007 09:26 PM

‎10-25-2007 09:26 PM

Re: SSH & Kerberos woes

[upgrade:/]# swlist -l file | grep libpam_krb5
PAM-Kerberos.PAM-KRB-64SLIB: /usr/lib/security/pa20_64/libpam_krb5.1
PAM-Kerberos.PAM-KRB-64SLIB: /usr/lib/security/pa20_64/libpam_krb5.so.1
PAM-Kerberos.PAM-KRB-SHLIB: /usr/lib/security/libpam_krb5.1
PAM-Kerberos.PAM-KRB-SHLIB: /usr/lib/security/libpam_krb5.so.1

[upgrade:/usr/lib/security/pa20_64]# ll
total 3040
-r-xr-xr-x 1 bin bin 9312 Jul 20 2005 libacpm_hpux_rbac.1
lrwxr-xr-x 1 bin bin 45 Jul 5 16:42 libacpm_hpux_rbac.sl -> /usr/lib/security/pa20_64/libacpm_hpux_rbac.1
-r-xr-xr-x 1 root sys 438488 Dec 19 2006 libpam_authz.1
lrwxr-xr-x 1 root sys 16 Jul 9 11:43 libpam_authz.so.1 -> ./libpam_authz.1
-r-xr-xr-x 1 root bin 79768 Aug 2 2004 libpam_dce.1
-r-xr-xr-x 1 root bin 79768 Aug 2 2004 libpam_dce.so.1
-r-xr-xr-x 1 root sys 59632 Oct 13 2005 libpam_hpsec.1
lrwxr-xr-x 1 root sys 16 Oct 25 10:34 libpam_hpsec.so.1 -> ./libpam_hpsec.1
-r-xr-xr-x 1 root sys 219784 May 20 2004 libpam_krb5.1
lrwxr-xr-x 1 root sys 15 Jul 5 14:48 libpam_krb5.so.1 -> ./libpam_krb5.1
-r-xr-xr-x 1 root sys 394168 Dec 19 2006 libpam_ldap.1
lrwxr-xr-x 1 root sys 15 Jul 9 11:43 libpam_ldap.so.1 -> ./libpam_ldap.1
lrwxr-xr-x 1 root sys 45 Jul 5 14:48 libpam_ntlm.1 -> /opt/cifsclient/pam/lib/pa20_64/libpam_ntlm.1
lrwxr-xr-x 1 root sys 45 Jul 5 14:48 libpam_ntlm.so.1 -> /opt/cifsclient/pam/lib/pa20_64/libpam_ntlm.1
-r-xr-xr-x 1 root sys 225064 Dec 6 2006 libpam_unix.1
lrwxr-xr-x 1 root sys 15 Jul 9 11:45 libpam_unix.so.1 -> ./libpam_unix.1
-r-xr-xr-x 1 root sys 14592 Aug 27 2004 libpam_updbe.1
lrwxr-xr-x 1 root sys 16 Jul 5 14:51 libpam_updbe.so.1 -> ./libpam_updbe.1


All looks okay already :(
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎10-25-2007 11:19 PM

‎10-25-2007 11:19 PM

Re: SSH & Kerberos woes

Does your config authenticate non-root users using krb5?

Also, for the pam_user.conf to work you'd need an entry in pam.conf for /usr/lib/security/$ISA/libpam_updbe.so.1. Without it the pam_user.conf settings won't be read. Also specify the krb5 pam module in pam_user.conf with the ignore flag. The pam_user.conf is used to override settings from the pam.conf. Here's an example for you pam_user.conf.

root auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore

root auth /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass


When the stack hits libpam_krb5 the settings in the pam_user.conf override those in the pam.conf for the specified user, but only if libpam_updbe is configured.

You'll also want to consider your sshd_config settings.


Hope this helps,
-denver

0 Kudos
Reply
UxBoD
Frequent Advisor

‎10-28-2007 09:17 PM

‎10-28-2007 09:17 PM

Re: SSH & Kerberos woes

Hi Denver,

Did a bit more testing thing morning and still no joy :( I now have pam_user.conf set as follows :-

jpro auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
jpro password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
jpro account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
jpro session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
jpro auth /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass
jpro password /usr/lib/security/$ISA/libpam_unix.so.1

and within pam.conf :-

sshd auth required libpam_updbe.so.1
sshd auth required libpam_krb5.so.1 debug

the sshd_config has been changed from default for the following :-

UsePAM yes
PasswordAuthentication yes

So still no joy on overides :(

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.