Re: [OpenAFS] trouble with pam_krb5

Mon, 18 Jul 2005 08:08:14 -0700

We are running the package 'openssh-server-3.9p1-8.RHEL4.4'.  My man pages for sshd_config indicates that UsePAM is off by default. I turned off the pubkey, because I had been using a pub/priv key, but that seemed to cause ssh to skip completely the kerberos authentication. 

I'm using this on i386. Thanks for the observation about the difference between the auth and session messages. Not sure where to go with that, but it is interesting. 

The basic problem still seems to be that the kerberos tickets are not getting written to the cache so that subsequent processes have access to them.

Thanks again for the help.

-KAS


Kurt A. Seiffert                        | [EMAIL PROTECTED]

UITS Distributed Storage Services Group | C: 812-345-1892

Indiana University, Bloomington         | W: 1 812-855-5089     


On Jul 15, 2005, at 11:24 AM, Christopher Allen Wing wrote:

On Fri, 15 Jul 2005, Kurt Seiffert wrote:


The only think I did for the sshd was to turn off PubKey authentication and turn on PAM authentication.


PAM is enabled by default, and pubkey shouldn't make a difference.


Is this the standard sshd that comes with RHEL4, or your own?

The interaction between OpenSSH's 'privilege separation', PAM, and SELinux can be somewhat interesting.



In fact, it looks like that's your problem.


Note that in your debugging log the first messages from sshd come from pid 15636:



Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying previously-entered password for 'seiffert'
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating '[EMAIL PROTECTED]' to 'krbtgt/[EMAIL PROTECTED]'
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: krb5_get_init_creds_password(krbtgt/[EMAIL PROTECTED]) returned 0 (Success)
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0 (Success)
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4- compatible key
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtained des- cbc-crc v5 creds
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5 creds to v4 creds (etype = 1)
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: conversion succeeded
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authentication succeeds for 'seiffert' ([EMAIL PROTECTED])
Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: pam_authenticate returning 0 (Success)


This is from the "auth" stage of PAM.


Now look at the next set of messages, from the "session" stage of PAM:



Jul 13 15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for user seiffert by (uid=0)
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: configured realm 'RFSTEST.IU.EDU'
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flags: not forwardable
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no ignore_afs
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: user_check
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no krb4_convert
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket lifetime: 36000
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: renewable lifetime: 36000
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: banner: Kerberos 5
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ccache dir: /tmp
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: keytab: /etc/ krb5.keytab
Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds for user 'seiffert', skipping session setup




The pam module is now running in a different process, so it doesn't have access to the krb5 creds. (which were stored in the memory image of process 15636)

That's why it fails for you.




We're using sshd from the 'openssh-server-3.9p1-8.RHEL4.1' RPM, and the standard /etc/ssh/sshd config files.

It works for us on i386 and x86_64.

What are you using?


-Chris


Reply via email to