AIX 5.2 + Krb5 + OpenSSH + k5login files: Help!

---

• From: "Sandor W. Sklar" <ssklar@xxxxxxxxxxxx>
• Date: Wed, 29 Aug 2007 21:32:14 -0700

---

I recently set up for the first time the "Network Authentication Service" (krb5.client.rte) on an AIX 5.2 box, was was able to have it authenticate against our organization's MIT Kerberos infrastructure, with a little difficulty.

There is two odd things I discovered, and I was wondering if maybe I'm just not doing it right, or if I'm running into something that the IBM has left out:

I note that I'm using the binary OpenSSH packages provided by IBM, and I've got the "latest" version:

openssh.base.server 4.3.0.5201 COMMITTED Open Secure Shell Server


- The sshd doesn't seem to acknowledge or in any way use a $HOME/.klogin file; if the Kerberos principal matches the AIX user ID, then you get in (after entering the correct password.) If the Kerberos principal does NOT match the AIX user ID, you don't get in.

I've verified that .k5login files are used by the "secure" telnet/ telnetd combination, and that works fine. We need it to work with ssh, though.

- It seems that there is there is no "ticket passing" for SSH; whether I have a ticket or not, I'm always prompted for my Kerberos password. I believe that, (at least on our Sun and RHEL systems), we can get automatic login via (I believe it is) the GSSAPIAuthentication directive. The AIX sshd doesn't barf on having that directive in the sshd_config, but neither does it accept the Kerberos ticket I have on my client system.

Other then these two things, I'm pretty happy with the way things are working, but that first issue is really kind of a deal-breaker, so I hope someone can just tell me that I'm stupid, and what I should do to get it to work.

Thanks!
-s-

--
Sandor W. Sklar
Unix Systems Administrator
Stanford University Libraries & Academic Information Resources (SULAIR)
Digital Libraries Systems & Services (DLSS)

---

• Prev by Date: Paul Oh is out of the office.
• Previous by thread: Paul Oh is out of the office.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AIX LDAP Client ... I think this is available with the AIX 5.2B realase, ... Use the config.krb5 command to configure an AIX Kerberos client. ... Windows 2000 Active Directory server is chosen as the Kerberos server, ... such that login process will know to use Kerberos authentication, ... (comp.unix.aix) HOWTO: Authenticate against Active Directory ... AIX users against Active Directory. ... The assumption is that you're not familiar with Kerberos and/or the ... How to authenticate AIX users against Active Directory ... Authentication won't work if the clocks ... (comp.unix.aix) RE: Network address resolution problem on AIX ... It seems there is a problem when using Kerberos 1.4.x and AIX 5.2. ... Cannot resolve network address for KDC in requested realm ... 1254-004 The error code from the last command is 1. ... (comp.protocols.kerberos) Re: LDAP client on 5.2 ... > It's been months trying to use AIX as a client of our OpenLDAP servers ... LDAP do NOT contain passwords, ... > use kerberos. ... > AIX is the bad guy. ... (comp.unix.aix) Re: AIX 5.2 and Active Directory ... >> Hello Gert ... >> No third party software needed, you can use kerberos. ... > Directory and also in all local AIX hosts; ... > administrator and the AIX administrator for every usermanagement task ... (comp.unix.aix)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > AIX-L  > 2007-08