Getting public-key auth working in Solaris 10 :: semicomplete.com

Fri, 29 Dec 2006

Getting public-key auth working in Solaris 10

Once upon a time, there was a Solaris 10 box where I wasn't able to use ssh keys to login.

Thankfully, that time has now passed. The problem was because PAM was denying access with public keys.

Running sshd in debug mode (-ddd) I would see this:

Found matching DSA key: 80:aa:32:03:ef:51:9c:7b:0f:1d:ac:37:17:d5:fd:2b
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug2: Starting PAM service sshd-pubkey for method publickey
debug3: Trying to reverse map address 69.181.132.53.
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for psionic from 69.181.132.53 port 55957 ssh2

Clearly indicated here, is the fact that it accepted my ssh-dss key, but I failed for some other reason. Listed here, is:

Starting PAM service
sshd-pubkey for method publickey

. Solaris 10's manpage for sshd shows that it uses different PAM service names for each type of authentication.

The solution involved adding a simple service entry in /etc/pam.conf:

sshd-pubkey    auth required           pam_unix_cred.so.1

It works now. This takes effect immediately as the pam config is invoked any time sshd uses pam, so you don't have to restart sshd.

Comments: 3 (view comments)
Tags: solaris, ssh
Permalink: /geekery/solaris-10-sshd-publickey-solution
posted at: 02:57

3 responses to 'Getting public-key auth working in Solaris 10'

Alessandro Suardi posted at Mon Jan 22 07:45:06 2007...

That doesn't appear to be needed on the Solaris 10 box I've just banged my head on, as its /etc/pam.conf already contains the generic line with "other", that should act as a catch-all for services that aren't listed (included ssh-pubkey of course):

[oracle@dbracs2 ~]$ grep unix_cred /etc/pam.conf
login auth required pam_unix_cred.so.1
rlogin auth required pam_unix_cred.so.1
krlogin auth required pam_unix_cred.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
ktelnet auth required pam_unix_cred.so.1
ppp auth required pam_unix_cred.so.1
other auth required pam_unix_cred.so.1

My problem (with your exact symptoms above) was due to having created the UNIX user without setting a password for it. Once I initialized its password with the 'passwd' command, the apparently-fine ssh setup finally began to work.

Ady McClure posted at Tue Jan 23 06:14:53 2007...

I had this issues as a result of not having a password set, more specifically having the password field set to :LK: in the shadow file. Setting a password or changing the password field to :NP: resolved the issue.

It seems that in later versions of Solaris :LK: causes the account to be treated as if it were disabled.

dmangot posted at Thu Jul 12 20:14:15 2007...

Thanks Ady, you saved my day. I was missing the account from /etc/shadow. Running pwconv fixed me right up.

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Search this site

Navigation

Metadata

Home About Resume My Code (SVN)

Articles

ARP Security Dynamic DNS with DHCP OpenLDAP+Kerberos+SASL PPP over SSH SSH Security: /bin/false Week of Unix Tools Work Efficiency

Projects

fex firefox tabsearch firefox urledit grok keynav liboverride newpsm (FreeBSD) nis2ldap pam_captcha poor man's backup Solaris audio utility xboxproxy xdotool xmlpresenter xpathtool misc scripts

Fri, 29 Dec 2006