pam, sshd and Solaris 8

From: Houle, Michael (Michael.Houle_at_atcoitek.com)
Date: 04/20/04

  • Next message: Darren Tucker: "Re: OpenSSH_3.8.1p1 - passwd -f does not work"
    Date: Tue, 20 Apr 2004 15:28:17 -0600
    To: <secureshell@securityfocus.com>
    
    

    Hello,

    Can anyone tell me if they've gotten the following 2 features working on
    Solaris ? We can get both features working but not at the same time with
    pam.conf

    1. password expiry at login time using interactive login
    2. private/publickey login

    We are using SEAM's pam_krb5.so. It seems that the 'account' module is
    trying to test the age of the password and during public/private key
    logins,
    the 'auth' information is not available.

    Our pam.conf lines are as follows (this allows public/private login):

    sshd auth sufficient /usr/lib/security/pam_krb5.so.1 err_on_exp
    sshd auth sufficient /usr/lib/security/pam_unix.so.1
    #sshd account required /usr/lib/security/pam_krb5.so.1
    sshd session required /usr/lib/security/pam_krb5.so.1
    sshd password required /usr/lib/security/pam_krb5.so.1

    If we want to enable interactive login with password aging:

    sshd auth sufficient /usr/lib/security/pam_krb5.so.1
    sshd auth sufficient /usr/lib/security/pam_unix.so.1
    sshd account required /usr/lib/security/pam_krb5.so.1
    sshd session required /usr/lib/security/pam_krb5.so.1
    sshd password required /usr/lib/security/pam_krb5.so.1

    We enable the 'account' module, but it wants to check the password
    age and therefore prompts for it. This effectively disables publickey
    login for cron jobs etc.

    I understand that the account management is needed to check for hours
    of service and other login issues. I wonder if somehow Sun's pam_krb5 is
    doing something out of the ordinary.

    As far as I've been able to determine, both features cannot be setup at
    the
    same time on Solaris using their pam_krb5.

    My primary suggestion is to allow a configuration parameter to disable
    the use
    of PAM when publickey logins are being used. This would allow those who
    need it
    to work around this issue.

    Anyone who can shed more light on this ?

    TIA,

    Mike.


  • Next message: Darren Tucker: "Re: OpenSSH_3.8.1p1 - passwd -f does not work"