With the release of Solaris 9, Sun has finally started to ship a
mostly reasonable SSH client (known by Sun as the Solaris Secure Shell)
and server. The server is in /usr/lib/ssh/sshd directory.
The sshd daemon included in Solaris 9 will use the PAM (Pluggable
Authentication Module) framework that comes with Solaris 9 to do
authentication, in addition to the internal public key framework that
SSH is capable of using for authentication.
The PAM configuration on Solaris 9 doesn't have any specific
configuration for the sshd daemon. Activating the Kerberos 5
configuration lines at the end of the /etc/pam.conf file
will not make sshd work with Kerberos 5. This is contrary to the
comments in that file about what must be done to make Kerberos 5
authentication work for all the services on the system.
If the following authentication bits are added to the the
/etc/pam.conf file, the sshd daemon will just start using
Kerberos authentication, and will fall-back to any local password on
the machine, if the KDC is unavailable, or the password given doesn't
match that stored in the KDC.
# # sshd authentication order # sshd auth sufficient pam_krb5.so.1 try_first_pass sshd auth required pam_unix_auth.so.1
No changes are necessary to the /etc/ssh/sshd_config
file to make sshd with Kerberos. Of course, the
/etc/krb5/krb5.conf file will need to be setup properly,
but that's a task outlined in another NSFAQ.
Thanks to Chris Ross for helping to rationalize and debug the configuration.
Back to the page of Not So Frequently Asked Questions.
Kurt J. Lidl