Login or Register to Ask a Question and Join Our Community


OS X (Apple)

OSX and Kerberos

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems OS X (Apple) OSX and Kerberos
# 1  
Old 12-09-2013
OSX and Kerberos
Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from:

Code:
# sshd: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

To:

Code:
# sshd: auth account password session
auth       sufficient     pam_krb5.so try_first_pass default_principal
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

And /etc/pam.d/sudo from:

Code:
# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

To:

Code:
# sudo: auth account password session
auth       sufficient     pam_krb5.so try_first_pass default_principal
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Also to uncomment / add the following lines in /etc/sshd_config:

Code:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePam yes

This results in two issues. One is that /tmp/ fills up with dozens or hundreds of krb5cc-XXXXXX files The other is that sudo attempts always fail on the first attempt with the error:

Code:
Dec  9 10:45:56 aria sudo[93207]: krb5_sendto_context is called on main thread, its a blocking api
Dec  9 10:45:56 aria sudo[93207]: in pam_sm_authenticate(): Kerberos 5 error

To top that off, they still complain about "invalid credentials" on some hosts. I have a very strong feeling that they know less about Kerberos than I do, which is saying something, as I don't know much more than how to spell it :-) I tried klist, but could't get anything more useful than:

Code:
klist: krb5_cc_get_principal: No credentials cache file found

Googling hasn't helped me... the references I can find to those errors are nonspecific and usually include others (like "Kerberos refuses you" or something).

Any assistance appreciated!
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. AIX

Problems with Kerberos and realms

I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it. AIX 7.1, and while I found various docs on the subject, a... (11 Replies)
Discussion started by: PassLine
11 Replies

2. AIX

Auth against AD (kerberos) does not work

@kah00na and all others, i have done al steps of the HowTo "Authenticate AIX users from MSActive Directory", found in this forum, but it still does not work. The test with kinit USERNAME works fine. But if i try to login i get the "UNKNOWN_USER" error in the debug.log.All steps to change... (11 Replies)
Discussion started by: tomys
11 Replies

3. AIX

Users not authenticating via Kerberos on MS AD

I have AD (active directory) user, "asdf", created and a matching local AIX user name. Using "kinit", I can successfully authenticate it against the MS AD but when they I try to login via SSH with the same user name, it doesn't work. How can I get AIX to allow kerberos authentication as a valid... (1 Reply)
Discussion started by: kah00na
1 Replies

4. Programming

Kerberos Authentication c/c++

I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api. Can anyone point me in the right... (0 Replies)
Discussion started by: mshindo
0 Replies

5. AIX

NFS4 with KERBEROS

I was wondering if any of you have used NFS4 with KERBEROS in a HACMP setup and environment with more than 1 resourcegroup that has NFS mount in them. I Configures the host keys for an Network File System (NFS) server I get stuck with the nfshostkey I can only add one at a time per system so... (0 Replies)
Discussion started by: ravager
0 Replies

6. AIX

SSH and Kerberos

I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300. I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
Discussion started by: asch337
1 Replies

7. UNIX for Dummies Questions & Answers

Kerberos Solaris 10 x86

Hello, I started to install Solaris 10 on my x86 box and am not sure if I need to set up Kerberos and/or DNS if my box is a standalone workstation connected to the internet using a cable modem and router. Specifically, I know kerberos is good for security, but I'm not sure what to enter in... (2 Replies)
Discussion started by: SAUnterC
2 Replies

8. Solaris

kerberos security

i m new 2 unix world can some body explain me abt kerberos pls explain in detail..! (2 Replies)
Discussion started by: sriram.s
2 Replies

9. Cybersecurity

Kerberos security

I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos. So Anybody ca tell me how can I disable it? Thank you (1 Reply)
Discussion started by: dansanmex
1 Replies
Login or Register to Ask a Question