OK, If I change the telnetd options to include '-a user' or '-a valid' I don't get prompted for a password, but I receive an 'Authroization failed' error from telnetd:
[arechenberg@rh71test ~]$ klist -fe Ticket cache: FILE:/tmp/krb5cc_601 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 03/15/02 14:18:46 03/16/02 00:18:46 [EMAIL PROTECTED] Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/15/02 14:18:58 03/16/02 00:18:46 [EMAIL PROTECTED] Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt601 klist: You have no tickets cached [arechenberg@rh71test ~]$ telnet -a rh71test.shermfin.com Trying 10.1.1.55... Connected to rh71test.shermfin.com (10.1.1.55). Escape character is '^]'. [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] telnetd: Authorization failed. ^^^^^^^^^^^^^^^^^^^^^^^^^^ Any ideas? Andy. -----Original Message----- From: Ken Grady [mailto:[EMAIL PROTECTED]] Sent: Friday, March 15, 2002 1:32 PM To: Rechenberg, Andrew Subject: Re: Tickets accepted upon login but still prompted for password and you have the /lib/security/pam_krb5.so library from RedHat installed? or are there extra lines in /etc/pam.d for telnet? or rlogin? We are mostly using ssh instead of telnet, so I don't have anything to check it out with. "Rechenberg, Andrew" wrote: > I added those lines to my system-auth file and I still have the sames results :\ > > -----Original Message----- > From: Ken Grady [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 15, 2002 12:11 PM > To: Rechenberg, Andrew > Subject: Re: Tickets accepted upon login but still prompted for password > > You need to tell PAM that kerberos authentication is ok. we use a > different PAM > but here is our login and system_auth > > # more login > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > session required /lib/security/pam_stack.so service=system-auth > session optional /lib/security/pam_console.so > > # more system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth sufficient /lib/security/pam_krb5.so use_first_pass > auth required /lib/security/pam_deny.so > > account required /lib/security/pam_unix.so > > password required /lib/security/pam_cracklib.so retry=3 > password sufficient /lib/security/pam_unix.so nullok use_authtok > md5 shado > w > password sufficient /lib/security/pam_krb5.so use_authtok > password required /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > session optional /lib/security/pam_krb5.so > > Andy Rechenberg wrote: > > > I have a Red Hat Linux 7.1 box setup to use Kerberos authentication > > for telnet access. The KDC is a Windows 2000 Server (SP2). I have > > successfully setup a service principal for the Linux box in the 2000 > > domain and I have transferred the keytab to the Linux box and imported > > it into /etc/krb5.keytab. > > > > A user can successfully obtain tickets from the KDC while logging in, > > but when I try to test an automatic telnet login the user's tickets > > are accepted but the user is still prompted for a password. I would > > prefer the users not to be prompted once they obtain their Kerberos > > tickets. > > > > Am I missing something so obvious it's stupid? :) I have krb5-telnet > > activated in xinetd and have specified it to use login.krb5. I also > > have the default PAM config files for RH7.1. I have tried using > > authconfig to include Kerberos authentication, but that did not make a > > difference. Below are relevant configuration files and sample outputs > > from a telnet session. > > > > Any help would be greatly appreciated. Let me know if you need any > > more information. Please CC: my email address with any responses. > > Thank you in advance. > > > > Regards, > > Andrew Rechenberg > > Network Team, Sherman Financial Group > > arechenberg(at)shermanfinancialgroup.com > > > > *********************************************************** > > [root@rh71test ~]# telnet rh71test.shermfin.com > > Trying 10.1.1.55... > > Connected to rh71test.shermfin.com. > > Escape character is '^]'. > > > > rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30 > > EDT 2001) (4) > > > > login: arechenberg > > Password for arechenberg: > > Last login: Fri Mar 15 10:38:46 from rh71test > > > > [arechenberg@rh71test ~]$ klist -fe > > Ticket cache: FILE:/tmp/krb5cc_p31503 > > Default principal: [EMAIL PROTECTED] > > > > Valid starting Expires Service principal > > 03/15/02 10:49:24 03/15/02 20:49:24 [EMAIL PROTECTED] > > Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES > > cbc mode with CRC-32 > > 03/15/02 10:49:24 03/15/02 10:54:24 > > [EMAIL PROTECTED] > > Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES > > cbc mode with CRC-32 > > > > Kerberos 4 ticket cache: /tmp/tkt601 > > klist: You have no tickets cached > > [arechenberg@rh71test ~]$ telnet -a rh71test.shermfin.com > > Trying 10.1.1.55... > > Connected to rh71test.shermfin.com (10.1.1.55). > > Escape character is '^]'. > > [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] > > Password for arechenberg: > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > Tickets accepted, but still prompted for password. :\ > > > > [root@rh71test ~]# cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > ticket_lifetime = 24000 > > default_realm = SHERMFIN.COM > > dns_lookup_realm = false > > dns_lookup_kdc = false > > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > > default_tkt_enctypes = des-cbc-crc des-cbc-md5 > > forwardable = true > > proxiable = true > > > > [realms] > > SHERMFIN.COM = { > > kdc = mykdc.shermfin.com:88 > > default_domain = shermfin.com > > } > > > > [domain_realm] > > .shermfin.com = SHERMFIN.COM > > shermfin.com = SHERMFIN.COM > > > > [kdc] > > profile = /var/kerberos/krb5kdc/kdc.conf > > > > [pam] > > debug = false > > ticket_lifetime = 36000 > > renew_lifetime = 36000 > > forwardable = true > > krb4_convert = false > > > > [root@rh71test ~]# cat /etc/xinetd.d/krb5-telnet > > # default: off > > # description: The kerberized telnet server accepts normal telnet > > sessions, \ > > # but can also use Kerberos 5 authentication. > > service telnet > > { > > flags = REUSE > > socket_type = stream > > wait = no > > user = root > > server = /usr/kerberos/sbin/telnetd > > server_args = -a valid -L /bin/login.krb5 > > log_on_failure += USERID > > disable = no > > } > > > > [root@rh71test ~]# cat /etc/pam.d/login > > #%PAM-1.0 > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_stack.so service=system-auth > > auth required /lib/security/pam_nologin.so > > account required /lib/security/pam_stack.so service=system-auth > > password required /lib/security/pam_stack.so service=system-auth > > session required /lib/security/pam_stack.so service=system-auth > > session optional /lib/security/pam_console.so > > > > [root@rh71test ~]# cat /etc/pam.d/system-auth > > #%PAM-1.0 > > # This file is auto-generated. > > # User changes will be destroyed the next time authconfig is run. > > auth required /lib/security/pam_env.so > > auth sufficient /lib/security/pam_unix.so likeauth nullok > > auth required /lib/security/pam_deny.so > > > > account required /lib/security/pam_unix.so > > > > password required /lib/security/pam_cracklib.so retry=3 > > password sufficient /lib/security/pam_unix.so nullok use_authtok > > md5 shadow > > password required /lib/security/pam_deny.so > > > > session required /lib/security/pam_limits.so > > session required /lib/security/pam_unix.so > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos