Solaris Secure Shell (SSH) / Kerberos 5 Hints

How do you make the Solaris Secure Shell (aka the SSH client that is shipped with Solaris 9) work with Kerberos 5 authentication?

With the release of Solaris 9, Sun has finally started to ship a mostly reasonable SSH client (known by Sun as the Solaris Secure Shell) and server. The server is in /usr/lib/ssh/sshd directory. The sshd daemon included in Solaris 9 will use the PAM (Pluggable Authentication Module) framework that comes with Solaris 9 to do authentication, in addition to the internal public key framework that SSH is capable of using for authentication.

The PAM configuration on Solaris 9 doesn't have any specific configuration for the sshd daemon. Activating the Kerberos 5 configuration lines at the end of the /etc/pam.conf file will not make sshd work with Kerberos 5. This is contrary to the comments in that file about what must be done to make Kerberos 5 authentication work for all the services on the system.

If the following authentication bits are added to the the /etc/pam.conf file, the sshd daemon will just start using Kerberos authentication, and will fall-back to any local password on the machine, if the KDC is unavailable, or the password given doesn't match that stored in the KDC.

#
# sshd authentication order
#
sshd    auth sufficient         pam_krb5.so.1 try_first_pass
sshd    auth required           pam_unix_auth.so.1

No changes are necessary to the /etc/ssh/sshd_config file to make sshd with Kerberos. Of course, the /etc/krb5/krb5.conf file will need to be setup properly, but that's a task outlined in another NSFAQ.

Thanks to Chris Ross for helping to rationalize and debug the configuration.

Back to the page of Not So Frequently Asked Questions.

Valid HTML 4.01! Kurt J. Lidl
lidl at pix dot net
Last Updated: $Date: 2004/02/16 20:28:45 $