Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Russ Allbery]

Jason Edgecombe  writes:
> On 03/01/2012 07:38 PM, Russ Allbery wrote:

>> If you lock users in /etc/shadow, pam_unix will reject all logins via
>> whatever mechanism for those users.  So you either have to arrange to
>> bypass pam_unix entirely in PAM, or you need to not lock users and
>> instead just give them invalid password entries.

>> However, "*" isn't locking the account; "!" is locking the account.  At
>> least on Debian; maybe pam_unix works differently on Red Hat?

> Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM 
> logins work; only ssh is broken. I don't think that the password entries 
> is a problem.

There are two things that are obviously failing given your logs:

* pam-krb5 is not running at all during the authentication step.  This
  obviously can't be a problem with pam-krb5.  :)  Something is wrong with
  the PAM configuration.

* The account group in PAM is rejecting the login despite the fact that
  pam-krb5 is returning ignore.  I'm pretty sure that adding the missing
  ignore=ignore directive will fix this.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Jason Edgecombe]

On 03/01/2012 07:38 PM, Russ Allbery wrote:
> Jason Edgecombe  writes:
>
>> No, the local users are locked in the shadow file. The users have a "*"
>> in the password field for the /etc/shadow file. I'm using nssdb for
>> passwd and shadow file if that matters.
> If you lock users in /etc/shadow, pam_unix will reject all logins via
> whatever mechanism for those users.  So you either have to arrange to
> bypass pam_unix entirely in PAM, or you need to not lock users and instead
> just give them invalid password entries.
>
> However, "*" isn't locking the account; "!" is locking the account.  At
> least on Debian; maybe pam_unix works differently on Red Hat?
>
Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM 
logins work; only ssh is broken. I don't think that the password entries 
is a problem.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Russ Allbery]

Jason Edgecombe  writes:

> No, the local users are locked in the shadow file. The users have a "*" 
> in the password field for the /etc/shadow file. I'm using nssdb for 
> passwd and shadow file if that matters.

If you lock users in /etc/shadow, pam_unix will reject all logins via
whatever mechanism for those users.  So you either have to arrange to
bypass pam_unix entirely in PAM, or you need to not lock users and instead
just give them invalid password entries.

However, "*" isn't locking the account; "!" is locking the account.  At
least on Debian; maybe pam_unix works differently on Red Hat?

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Jason Edgecombe]

On 03/01/2012 06:43 PM, Russ Allbery wrote:
> "Edgecombe, Jason"  writes:
>
>> I have Russ Allbery's pam_krb5 and pam_afs_session modules working for
>> console logins, but they fail for ssh logins (both password and
>> kerberized).  I can get ssh logins to work with RedHat's pam_krb5
>> module, but RedHat's module causes problems with AFS tokens and Gnome
>> (gconfd).  Disabling ssh privilege separation doesn't make a
>> difference. Any help is appreciated.
>> Platform: RHEL 5.6 x86_64
>> Here is the log from the password login:
>> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): 
>> pam_sm_acct_mgmt: entry
>> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping 
>> non-Kerberos login
>> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): 
>> pam_sm_acct_mgmt: exit (ignore)
>> Mar  1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco 
>> by PAM account configuration
> The first thing that jumps out here is that apparently the auth
> functionality of pam-krb5 never ran.  Either that, or debug wasn't enabled
> for auth, but the account group is also saying that the user didn't log on
> with Kerberos.
>
>> Contents of /etc/pam.d/system-auth-ac:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> authoptional  pam_group.so
>> authrequired  pam_env.so
>> authsufficientpam_unix.so nullok try_first_pass
>> authrequisite pam_succeed_if.so uid>= 104 quiet
>> authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass
>> authrequired  pam_deny.so
> Does the user's UNIX password match their Kerberos password?  If so, then
> pam_unix will succeed and nothing subsequent to that will run, so no
> Kerberos authentication was ever performed.
No, the local users are locked in the shadow file. The users have a "*" 
in the password field for the /etc/shadow file. I'm using nssdb for 
passwd and shadow file if that matters.
>> Here is the log from the kerberized login:
> This is a different problem.
>
>> Mar  1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal 
>> jwedgeco@MYREALM (krb5_kuserok)
>> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): 
>> pam_sm_acct_mgmt: entry
>> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping 
>> non-Kerberos login
>> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): 
>> pam_sm_acct_mgmt: exit (ignore)
> This part is expected, I think.  The account group for pam-krb5 only makes
> sense in combination with a password authentication.  If you authenticate
> via GSS-API, sshd is responsible for doing the authorization check and
> there isn't anything for PAM to do.
>
>> Mar  1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco 
>> by PAM account configuration
>> account required  pam_unix.so broken_shadow
>> account sufficientpam_succeed_if.so uid<  104 quiet
>> account [default=bad success=ok user_unknown=ignore] 
>> /usr/local/lib/security/pam_krb5.so
>> account required  pam_permit.so
> default=bad is mapping ignore to fail.  You need to add ignore=ignore to
> your configuration for the pam_krb5 line.  (You don't need
> user_unknown=ignore for my PAM module; it won't return user_unknown unless
> validation of a Kerberos login actually fails.)
>


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

new msktutil release (v0.4.1)

[Ken Dreyer]

I'm pleased to announce release 0.4.1 of msktutil.

msktutil is a program for interoperability with Active Directory. It
can create a computer account in Active Directory, create a system
Kerberos keytab, add and remove principals to and from that keytab,
and change the computer account's password automatically.

Changes from previous release:

   User-visible changes:
   Fix a LDAP SASL error to be non-fatal. (Thanks to James Knight and
   Thomas Bodenmann). James pushed this fix to Git, but it was not in
   any released version.

   Fix --enctypes when used with Win2K3. Win2k3 doesn't support the
   msDS-supportedEncryptionTypes ldap field, and in such a case, the
   local variable holding what encryption types to use didn't get
   properly updated.  (Thanks to James Knight and Thomas Bodenmann).
   James pushed this fix to Git, but it was not in any released version.

   Other build-related changes:
   The compiler steps in the Makefile are now more verbose to give
   greater visibility into the build process.

   Rely on autoconf to find the proper Kerberos and LDAP $LIBS flags.

   Add a --with-krb5-config option to determine the appropriate
   compilation flags. (With help from Russ Allbery.)

For the present the Git repository remains at:

   

You can download tarballs from:

   

I'm working on getting the package submitted into Fedora and EPEL, at

   

James Knight was the most recent in a long line of maintainers for the
msktutil project, and I want to say thank you to him and the other
maintainers recognized in the README (Dan Perry, Brian Elliott Finley,
Doug Engert). I welcome any patches or help with maintenance.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Russ Allbery]

"Edgecombe, Jason"  writes:

> I have Russ Allbery's pam_krb5 and pam_afs_session modules working for
> console logins, but they fail for ssh logins (both password and
> kerberized).  I can get ssh logins to work with RedHat's pam_krb5
> module, but RedHat's module causes problems with AFS tokens and Gnome
> (gconfd).  Disabling ssh privilege separation doesn't make a
> difference. Any help is appreciated.

> Platform: RHEL 5.6 x86_64

> Here is the log from the password login:
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
> entry
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping 
> non-Kerberos login
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
> exit (ignore)
> Mar  1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by 
> PAM account configuration

The first thing that jumps out here is that apparently the auth
functionality of pam-krb5 never ran.  Either that, or debug wasn't enabled
for auth, but the account group is also saying that the user didn't log on
with Kerberos.

> Contents of /etc/pam.d/system-auth-ac:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authoptional  pam_group.so
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 104 quiet
> authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass
> authrequired  pam_deny.so

Does the user's UNIX password match their Kerberos password?  If so, then
pam_unix will succeed and nothing subsequent to that will run, so no
Kerberos authentication was ever performed.

> Here is the log from the kerberized login:

This is a different problem.

> Mar  1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal 
> jwedgeco@MYREALM (krb5_kuserok)
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
> entry
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping 
> non-Kerberos login
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
> exit (ignore)

This part is expected, I think.  The account group for pam-krb5 only makes
sense in combination with a password authentication.  If you authenticate
via GSS-API, sshd is responsible for doing the authorization check and
there isn't anything for PAM to do.

> Mar  1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by 
> PAM account configuration

> account required  pam_unix.so broken_shadow
> account sufficientpam_succeed_if.so uid < 104 quiet
> account [default=bad success=ok user_unknown=ignore] 
> /usr/local/lib/security/pam_krb5.so
> account required  pam_permit.so

default=bad is mapping ignore to fail.  You need to add ignore=ignore to
your configuration for the pam_krb5 line.  (You don't need
user_unknown=ignore for my PAM module; it won't return user_unknown unless
validation of a Kerberos login actually fails.)

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Edgecombe, Jason]

Hi everyone,

I have Russ Allbery's pam_krb5 and pam_afs_session modules working  for console 
logins, but they fail for ssh logins (both password and kerberized).  I can get 
ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes 
problems with AFS tokens and Gnome (gconfd).  Disabling ssh privilege 
separation doesn't make a difference. Any help is appreciated.

Platform: RHEL 5.6 x86_64

Here is the log from the password login:
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
entry
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping 
non-Kerberos login
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
exit (ignore)
Mar  1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by 
PAM account configuration

Here is the log from the kerberized login:
Mar  1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal 
jwedgeco@MYREALM (krb5_kuserok)
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
entry
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping 
non-Kerberos login
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: 
exit (ignore)
Mar  1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by 
PAM account configuration

Contents of /etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authoptional  pam_group.so
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 104 quiet
authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_succeed_if.so uid < 104 quiet
account [default=bad success=ok user_unknown=ignore] 
/usr/local/lib/security/pam_krb5.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass 
use_authtok
passwordsufficient/usr/local/lib/security/pam_krb5.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  /usr/local/lib/security/pam_krb5.so
session required  pam_afs_session.so
session required  pam_mkhomedir.so skel=/etc/skel umask=0022 silent

Contents of /etc/pam.d/sshd:
auth   include  system-auth
accountrequired pam_nologin.so
accountinclude  system-auth
password   include  system-auth
sessionoptional pam_keyinit.so force revoke
session   sufficient/usr/local/lib/security/pam_krb5.so
sessioninclude  system-auth
sessionrequired pam_loginuid.so

Contents of /etc/ssh/sshd_config:
Protocol 2
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UsePrivilegeSeparation yes
ShowPatchLevel no
Subsystem   sftp/usr/libexec/openssh/sftp-server

Thanks,
Jason


---
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-3514
jwedgeco@MYREALM | 
http://coe.MYREALM | [Description: facebook-logo] 
  Facebook
---
If you are not the intended recipient of this transmission or a person 
responsible for delivering it to the intended recipient, any disclosure, 
copying, distribution, or other use of any of the information in this 
transmission is strictly prohibited. If you have received this transmission in 
error, please notify me immediately by reply e-mail or by telephone at 
704-687-3514.  Thank you.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos