Hi everyone, I have Russ Allbery's pam_krb5 and pam_afs_session modules working for console logins, but they fail for ssh logins (both password and kerberized). I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd). Disabling ssh privilege separation doesn't make a difference. Any help is appreciated.
Platform: RHEL 5.6 x86_64 Here is the log from the password login: Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration Here is the log from the kerberized login: Mar 1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration Contents of /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth optional pam_group.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 104 quiet auth sufficient /usr/local/lib/security/pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 104 quiet account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient /usr/local/lib/security/pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional /usr/local/lib/security/pam_krb5.so session required pam_afs_session.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent Contents of /etc/pam.d/sshd: auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session sufficient /usr/local/lib/security/pam_krb5.so session include system-auth session required pam_loginuid.so Contents of /etc/ssh/sshd_config: Protocol 2 SyslogFacility AUTHPRIV ChallengeResponseAuthentication no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UsePrivilegeSeparation yes ShowPatchLevel no Subsystem sftp /usr/libexec/openssh/sftp-server Thanks, Jason --------------------------------------------------------------------------- Jason Edgecombe | Linux and Solaris Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-3514 jwedgeco@MYREALM<mailto:[email protected]> | http://coe.MYREALM<http://coe.uncc.edu/> | [Description: facebook-logo] <https://www.facebook.com/UNCCEngr> Facebook<https://www.facebook.com/UNCCEngr> --------------------------------------------------------------------------- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514. Thank you.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
