[OpenAFS-devel] Need an idea on a pam-problem

Thu, 11 Jul 2013 08:08:02 -0700 

Hello

I just (post-)installed ubuntu 12.04 as usual - but got an unusual problem:

Well, I can kinit w/o any trouble and even get my AFS-token
thus I expect heimdal itself to be some how ok.
However when trying  ssh (using PAM) I face this:

------------------8<--------------8<-------------------
~#> tail -5 /var/log/auth.log
Jul 11 15:36:21 linix3 sshd[2166]: Connection closed by 144.41.11.220 [preauth] Jul 11 16:07:42 linix3 sshd[2266]: pam_krb5(sshd:auth): (user feiler) credential verification failed: encryption key has bad length Jul 11 16:07:42 linix3 sshd[2266]: pam_krb5(sshd:auth): authentication failure; logname=feiler uid=0 euid=0 tty=ssh ruser= rhost=maren3.rz.uni-hohenheim.de Jul 11 16:07:42 linix3 sshd[2266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=maren3.rz.uni-hohenheim.de user=feiler Jul 11 16:07:45 linix3 sshd[2266]: Failed password for feiler from 144.41.11.220 port 57593 ssh2 
~#>
------------------8<--------------8<-------------------
Well, I'm sure, the password *is* correct.
The failing pam-module '/lib/x86_64-linux-gnu/security/pam_krb5.so'
comes with the packet 'libpam-heimdal'.

I have actually no idea what the term
  "credential verification failed: encryption key has bad length"
wants to tell me , nor where to look for some causing oddities.

Does anyone else got an Idea?  Any hint is very welcome.


Best regards


Mathias Feiler


PS:
Below You can see my
* keytab ,
* pam-config (which I personly never touched)
* krb5.conf

------------------8<--------------8<-------------------
~#> ktutil list
FILE:/etc/krb5.keytab:

Vno  Type Principal                                         Aliases
1 aes256-cts-hmac-sha1-96 host/[email protected] 
  1  arcfour-hmac-md5 host/[email protected]
  1  des3-cbc-sha1 host/[email protected]
  1  des-cbc-md5 host/[email protected]
  1  des-cbc-md4 host/[email protected]
  1  des-cbc-crc host/[email protected]
~#>
------------------8<--------------8<-------------------

------------------8<--------------8<-------------------
~#> cat /etc/pam.d/common-auth
....

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass 
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_afs_session.so
auth    optional                        pam_cap.so
# end of pam-auth-update config


~#> cat /etc/pam.d/common-session
....
# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc. 
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session optional                        pam_afs_session.so
session optional                        pam_ck_connector.so nox11
------------------8<--------------8<-------------------

------------------8<--------------8<-------------------
~#> cat /etc/krb5.conf
# This is /etc/krb5.conf ready for Heimdal used at uni Hohenheim
[appdefaults]
        forwardable = true
        pam = {
            minimum_uid = 4000
            UNI-HOHENHEIM.DE = {
                ignore_k5login = true
            }
        }
[libdefaults]
        allow_week_crypto = yes
        # allow_week_crypto = true
        default_realm = UNI-HOHENHEIM.DE
        ticket_lifetime = 12h
        renew_lifetime  = 168h
        v4_instance_resolve = false
        fcc-mit-ticketflags = true
[realms]
        UNI-HOHENHEIM.DE = {
                kdc = 144.41.5.160
                kdc = 144.41.5.161
                kdc = 144.41.5.162
                admin_server = 144.41.5.160
                default_domain = uni-hohenheim.de
        }
         .....
[domain_realm]
        .uni-hohenheim.de = UNI-HOHENHEIM.DE
        uni-hohenheim.de  = UNI-HOHENHEIM.DE
        .....
[login]
        krb4_convert = true
        krb4_get_tickets = true
------------------8<--------------8<-------------------

--
Mathias Feiler  - Universitaet Hohenheim
Kommunikations-, Informations- und Medienzentrum (630)
IT-Dienste  | Abt. IT-Infrastruktur (ITI)
Raum 04.24/227 Schloss Westhof-Sued | 70599 Stuttgart
Tel. + 49 711 459 23949 | Fax + 49 711 459 23449

_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel

Reply via email to