With the release of Solaris 9, Sun has finally started to ship a
mostly reasonable SSH client (known by Sun as the Solaris Secure Shell)
and server. The server is in
The sshd daemon included in Solaris 9 will use the PAM (Pluggable
Authentication Module) framework that comes with Solaris 9 to do
authentication, in addition to the internal public key framework that
SSH is capable of using for authentication.
The PAM configuration on Solaris 9 doesn't have any specific
configuration for the sshd daemon. Activating the Kerberos 5
configuration lines at the end of the
will not make sshd work with Kerberos 5. This is contrary to the
comments in that file about what must be done to make Kerberos 5
authentication work for all the services on the system.
If the following authentication bits are added to the the
/etc/pam.conf file, the sshd daemon will just start using
Kerberos authentication, and will fall-back to any local password on
the machine, if the KDC is unavailable, or the password given doesn't
match that stored in the KDC.
# # sshd authentication order # sshd auth sufficient pam_krb5.so.1 try_first_pass sshd auth required pam_unix_auth.so.1
No changes are necessary to the
file to make sshd with Kerberos. Of course, the
/etc/krb5/krb5.conf file will need to be setup properly,
but that's a task outlined in another NSFAQ.
Thanks to Chris Ross for helping to rationalize and debug the configuration.
Back to the page of Not So Frequently Asked Questions.Kurt J. Lidl