Getting public-key auth working in Solaris 10 :: semicomplete.com - Jordan Sissel

Getting public-key auth working in Solaris 10

Posted Thu, 28 Dec 2006

Once upon a time, there was a Solaris 10 box where I wasn't able to use ssh keys to login.

Thankfully, that time has now passed. The problem was because PAM was denying access with public keys.

Running sshd in debug mode (-ddd) I would see this:

Found matching DSA key: 80:aa:32:03:ef:51:9c:7b:0f:1d:ac:37:17:d5:fd:2b
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug2: Starting PAM service sshd-pubkey for method publickey
debug3: Trying to reverse map address 69.181.132.53.
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for psionic from 69.181.132.53 port 55957 ssh2

Clearly indicated here, is the fact that it accepted my ssh-dss key, but I failed for some other reason. Listed here, is:

Starting PAM service
sshd-pubkey for method publickey

. Solaris 10's manpage for sshd shows that it uses different PAM service names for each type of authentication.

The solution involved adding a simple service entry in /etc/pam.conf:

sshd-pubkey    auth required           pam_unix_cred.so.1

It works now. This takes effect immediately as the pam config is invoked any time sshd uses pam, so you don't have to restart sshd.

Comments: 5 | Link to this post | posted at: 23:57

Tags: solaris, ssh

5 responses to 'Getting public-key auth working in Solaris 10'

Showing last 5 comments... (Click here to view all comments)

Alessandro Suardi wrote at Mon Jan 22 04:45:06 2007...

That doesn't appear to be needed on the Solaris 10 box I've just banged my head on, as its /etc/pam.conf already contains the generic line with "other", that should act as a catch-all for services that aren't listed (included ssh-pubkey of course):

[oracle@dbracs2 ~]$ grep unix_cred /etc/pam.conf
login auth required pam_unix_cred.so.1
rlogin auth required pam_unix_cred.so.1
krlogin auth required pam_unix_cred.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
ktelnet auth required pam_unix_cred.so.1
ppp auth required pam_unix_cred.so.1
other auth required pam_unix_cred.so.1

My problem (with your exact symptoms above) was due to having created the UNIX user without setting a password for it. Once I initialized its password with the 'passwd' command, the apparently-fine ssh setup finally began to work.

Ady McClure wrote at Tue Jan 23 03:14:53 2007...

I had this issues as a result of not having a password set, more specifically having the password field set to :LK: in the shadow file. Setting a password or changing the password field to :NP: resolved the issue.

It seems that in later versions of Solaris :LK: causes the account to be treated as if it were disabled.

dmangot wrote at Thu Jul 12 17:14:15 2007...

Thanks Ady, you saved my day. I was missing the account from /etc/shadow. Running pwconv fixed me right up.

Deepak wrote at Sat Jan 9 07:15:10 2010...

I am facing the issue from 5 days. I am able to login to ssh from local host but remote host is not authenticating my request. Can anybody please help me? I have newly installed the Solaris 10 OS. There are no firewalls and the internal firewall has also been disabled. It does not have any ldap or other services enabled. Just that remotely an ssh user is not getting authenticated.

Dinesh wrote at Wed Feb 10 07:50:32 2010...

Hi,

Please help me in configuring the /etc/pam.conf file for sshd. Users account should be locked out for three unsuccessful attempts. We are running solaris 10 and use putty to login

Thanks,
Dinesh

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.