[EMAIL PROTECTED] wrote:
I'm still getting the error "krb5_verify_init_creds failed: Decrypt integrity check failed" What does this mean? Does this mean the encryption type is bad? We had this working at one point and regernated out host key and now we are getting his strange error.
Its from KRB5KRB_AP_ERR_BAD_INTEGRITY and generated in a copule of places. After a decrypt operation the message checksum is computed and compared to the checksum in the message. If they don't agree it usually means the key used to encrypt does not match the key used to decrypt. (It could also be the message was modified, or a programing error with the way the checksum is generated or the key derived.)
So if you regenerated your hosts keys, it is most likely they did not get updated correctly. If you have the output file from the ktpass, you can dump it in hex as well as dump the krb5.keytab and see if the same keys are in both.
thanks,
Tyson "Douglas E. Engert" wrote:
Tyson Oswald wrote:
That seems to fix the issue of locking the account but it still
dumps
that message in the log. I will try and use use_first_pass and see
if
that makes a difference. Adding the pam_getauth_ok seemed to fix
the
lockout problem. It's slow going since everything has to be
approved
before we can make changes to our AD since we are part of a huge
forrest.
You say it works with login but not sshd? That would indicate that
the
Solaris Kerberos libs and pam_krb5 can handle the tickets, and the
decrypt
message indicates that the password could not be turned into a key as
expected.
You could also write a simple PAM debug exit of your own, and have it log the user and password as seen by PAM. Then include this before
and after
the pam_krb5. It could be the Solaris sshd is not passing the
password
correctly to PAM.
Ethereal might also help to see what packets the are being sent.
thanks for the help.
Tyson On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote:
Tyson Oswald wrote:
Greetings All, I have been making good progress in getting Kerberos to work on Solaris 9 and Windows AD. I have it working very well from the console. Problems arise when I use SSH. I have my pam.conf configured as follows for SSH which is identical to login sshd auth sufficient pam_unix_auth.so.1 sshd auth required pam_krb5.so.1 try_first_pass debug
When I connect to SSH it does an initial call to the DC before I
even
enter my password, like so
So do you also have the sshd auth requisite pam_authok_get.so.1 before these? It should prompt for the initial password. It might be that the try_first_pass is trying the null string passed by
sshd
to pam, thus the first decrypt failure message.
We are using something like this, but not using the Solaris
pam_krb5:
# sshd - keyboard interactive uses all PAM exists, but # privsep gets in the way. So use force. # PAM session is called when GSSAPI delegation or # Kerberos password used, so get AFS token in all
three
cases. # We want a session type cache, so with ANL PAM # pass in ccache= # We need ccache= on HP as it does not have pam_putenv # RedHat PAM uses session cache already # sshd auth requisite pam_authtok_get.so.1 sshd auth required pam_dhkeys.so.1 sshd auth sufficient /krb5/lib/pam_krb5.so.1
use_first_pass
forwardable force_creds cache=/tmp/krb5cc_u%u_p%p sshd auth required pam_unix_auth.so.1 # sshd session required pam_unix_session.so.1 sshd session required /krb5/lib/pam_afs2.so.1 #
If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1 working with the Solaris 9 dtlogin, dtsession, xlock,
xscreensaver.
The KDC is Windows 2003 AD.
Jan 4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1 Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth: start: user='cbrown' Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
PAM-KRB5
(auth): clearing initcreds in pam_authenticate() Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth returning 9 Jan 4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug]
PAM-KRB5
(auth): prompting for password Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth: start: user='cbrown' Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug]
PAM-KRB5
(auth): clearing initcreds in pam_authenticate() Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug]
PAM-KRB5
(auth): attempt_krb5_auth returning 9 Jan 4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug]
PAM-KRB5
(auth): pam_sm_auth finalize ccname env, result =9, env ='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9 Jan 4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug]
PAM-KRB5
(auth): end: Authentication failed The problem here is it will evantually lock out our domain
account.
I am pretty sure this is not a Kerberos issue but was wondering
if
anyone else ran into this issue. I am using Solaris 9 and the
SSH
that came with it so Sun_SSH_1.0.1. thanks much, Tyson Oswald ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
