Re: ssh and kerberos

Hello ton!

11 May 06 07:56, you wrote to All:

tw> Just done a nice fresh install of Sol 9 sept 2005 with todays
tw> recommended patch set on a Blade 2000.
[...skipped...]
tw> what should I do to diagnoze this problem which needs urgent
tw> rectification...

= comp.unix.solaris (2:463/1124.4)
============================================
Msg : 248 of 779
From : victorfeng1973@xxxxxxxxx 2:46/128 03 May 06
09:46:16
To : All
Subj : Re: New ssh/sshd patches for Solaris 9
===============================================================================
@RFCID: 1146674776.913172.104780@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I had two errors and I got them resolved with the Sun's help

1.
xmalloc: zero size

2.
"unable to initialize mechanism library
[/usr/lib/gss/gl/mech_krb5.so]"


1.The xmalloc: zero size is a new bug (6402708)
A workaround. by inserting the following in
Your ssh_config file on both client and server

Workaround: inserting the following in
Your ssh_config file on both client and server
StrictHostKeyChecking no


2.For the "unable to initialize mechanism library
[/usr/lib/gss/gl/mech_krb5.so]" (see bug 6392328)

Workarounds


1)
Add to /etc/ssh/ssh_config and /etc/ssh/sshd_config:
GSSAPIAuthentication=no
GSSAPIKeyExchange=no

2) Replace /etc/krb5/krb5.conf with following

# Begining of the file
#
# ident "@(#)krb5.conf 1.4 05/06/08 SMI"
#

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
default_realm = ___default_realm___

[realms]
___default_realm___ = {
kdc = ___master_kdc___
admin_server = ___master_kdc___
}

[domain_realm]
___domainname___ = ___default_realm___

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1,
....)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
# end of file

**Important..In order for new changes to take effect
you must restart sshd process after making your changes

Victor

-+- LuckyGate/Unix 7.02
+ Origin: http://groups.google.com (2:46/128)

==============================================================================

Konstantin

.

Relevant Pages

  • Re: A Caching Issue - I Suspect
    ... > optionally rotate the photo. ... > the image file - after which the aspx page refreshes on the client, ... > connecting to separate Windows Server 2003/IIS6 in a data center ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)