RE: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Thanks, I think that I'll leave KerberosAuthenticiation enabled. When I disabled it, I didn't have tokens when I logged in using a password, intead of Kerberos tickets. --- Jason Edgecombe | Linux and Solaris Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-3514 jwedg...@uncc.edu | http://coe.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514. Thank you. -Original Message- From: Russ Allbery [mailto:r...@stanford.edu] Sent: Monday, March 05, 2012 2:12 PM To: Edgecombe, Jason Cc: 'kerberos@mit.edu' Subject: Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5 Edgecombe, Jason jwedg...@uncc.edu writes: Ok, should I set KerberosAuthentication no in my sshd config? It's really your call. If you're happy with how it works, I don't see a compelling reason to change. We don't use it, though; we use PAM. One thing that you may lose with that (I haven't checked) is proper handling of expired passwords. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Ok, should I set KerberosAuthentication no in my sshd config? --- Jason Edgecombe | Linux and Solaris Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-3514 jwedg...@uncc.edu | http://coe.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514. Thank you. -Original Message- From: Russ Allbery [mailto:r...@stanford.edu] Sent: Friday, March 02, 2012 4:49 PM To: Edgecombe, Jason Cc: 'kerberos@mit.edu' Subject: Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5 Edgecombe, Jason jwedg...@uncc.edu writes: Ah, I do have KerberosAuthentication yes in my sshd config. Does pam_afs_session still run, then? Yeah, sshd will still run the session stack. pam-krb5 won't do anything, but pam-afs-session will pick up any existing KRB5CCNAME environment in the PAM environment, which it looks like sshd does set up in this case, and run aklog based on that. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Edgecombe, Jason jwedg...@uncc.edu writes: Ok, should I set KerberosAuthentication no in my sshd config? It's really your call. If you're happy with how it works, I don't see a compelling reason to change. We don't use it, though; we use PAM. One thing that you may lose with that (I haven't checked) is proper handling of expired passwords. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Hi Russ, I got console logins, password-based ssh logins and Kerberos ssh logins to work, but I'm puzzled by the system log output. The log messages suggest that Kerberos is not detected or used, but logins are working, tickets are granted, and tokens are obtained. From a user's perspective, everything looks fine. Should I be concerned about the logs? Here is my system-auth-ac PAM config: authoptional pam_group.so authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 104 quiet authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet #account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required /usr/local/lib/security/pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficient/usr/local/lib/security/pam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required /usr/local/lib/security/pam_krb5.so session required pam_afs_session.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent Here is my sshd PAM config: auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke session sufficient/usr/local/lib/security/pam_krb5.so sessioninclude system-auth sessionrequired pam_loginuid.so Here are the logs for a password-based ssh login: Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 2 09:49:31 myhostname sshd[32590]: Accepted password for jwedgeco from 152.15.179.130 port 50131 ssh2 Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: entry Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): no context found, creating one Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore) Mar 2 09:49:31 myhostname sshd[32590]: pam_unix(sshd:session): session opened for user jwedgeco by (uid=0) Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: entry Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): no context found, creating one Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Mar 2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore) Mar 2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): pam_sm_open_session: entry (0x0) Mar 2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): running /usr/bin/aklog as UID 12345 Mar 2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): pam_sm_open_session: exit (success) Here are the logs for a kerberized ssh login: Mar 2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 2 09:50:18 myhostname sshd[897]: Accepted gssapi-with-mic for jwedgeco from 10.17.151.248 port 33058 ssh2 Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: entry Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): no context found, creating one Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore) Mar 2 09:50:18 myhostname sshd[897]: pam_unix(sshd:session): session opened for user jwedgeco by (uid=0) Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: entry Mar 2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): no
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Edgecombe, Jason jwedg...@uncc.edu writes: I got console logins, password-based ssh logins and Kerberos ssh logins to work, but I'm puzzled by the system log output. The log messages suggest that Kerberos is not detected or used, but logins are working, tickets are granted, and tokens are obtained. From a user's perspective, everything looks fine. Should I be concerned about the logs? [...] account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet #account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required /usr/local/lib/security/pam_krb5.so account required pam_permit.so Ah, yes, that's a reasonable fix. Here are the logs for a password-based ssh login: This part looks normal. pam-krb5 doesn't really have anything to do when logging on with GSS-API. Here are the logs for a kerberized ssh login: Mar 2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) This log message is interesting. This makes it look like sshd is doing Kerberos authentication internally rather than using PAM. Could you double-check your sshd_config and make sure that it says something like: UsePAM yes and does *not* say: KerberosAuthentication yes I think you may have the latter setting, which tells sshd to do its own Kerberos password authentication, bypassing PAM. If that's working for you, then by all means use it, but just be aware that it doesn't use PAM and therefore none of your PAM configuration or settings will affect it and your authentication group will be ignored. For completeness, here are the logs for a console login: This looks like what I'd expect. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Ah, I do have KerberosAuthentication yes in my sshd config. Does pam_afs_session still run, then? --- Jason Edgecombe | Linux and Solaris Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-3514 jwedg...@uncc.edu | http://coe.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514. Thank you. -Original Message- From: Russ Allbery [mailto:r...@stanford.edu] Sent: Friday, March 02, 2012 4:02 PM To: Edgecombe, Jason Cc: 'kerberos@mit.edu' Subject: Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5 Edgecombe, Jason jwedg...@uncc.edu writes: I got console logins, password-based ssh logins and Kerberos ssh logins to work, but I'm puzzled by the system log output. The log messages suggest that Kerberos is not detected or used, but logins are working, tickets are granted, and tokens are obtained. From a user's perspective, everything looks fine. Should I be concerned about the logs? [...] account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet #account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required /usr/local/lib/security/pam_krb5.so account required pam_permit.so Ah, yes, that's a reasonable fix. Here are the logs for a password-based ssh login: This part looks normal. pam-krb5 doesn't really have anything to do when logging on with GSS-API. Here are the logs for a kerberized ssh login: Mar 2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) This log message is interesting. This makes it look like sshd is doing Kerberos authentication internally rather than using PAM. Could you double-check your sshd_config and make sure that it says something like: UsePAM yes and does *not* say: KerberosAuthentication yes I think you may have the latter setting, which tells sshd to do its own Kerberos password authentication, bypassing PAM. If that's working for you, then by all means use it, but just be aware that it doesn't use PAM and therefore none of your PAM configuration or settings will affect it and your authentication group will be ignored. For completeness, here are the logs for a console login: This looks like what I'd expect. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Edgecombe, Jason jwedg...@uncc.edu writes: Ah, I do have KerberosAuthentication yes in my sshd config. Does pam_afs_session still run, then? Yeah, sshd will still run the session stack. pam-krb5 won't do anything, but pam-afs-session will pick up any existing KRB5CCNAME environment in the PAM environment, which it looks like sshd does set up in this case, and run aklog based on that. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Hi everyone, I have Russ Allbery's pam_krb5 and pam_afs_session modules working for console logins, but they fail for ssh logins (both password and kerberized). I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd). Disabling ssh privilege separation doesn't make a difference. Any help is appreciated. Platform: RHEL 5.6 x86_64 Here is the log from the password login: Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration Here is the log from the kerberized login: Mar 1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration Contents of /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authoptional pam_group.so authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 104 quiet authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficient/usr/local/lib/security/pam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional /usr/local/lib/security/pam_krb5.so session required pam_afs_session.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent Contents of /etc/pam.d/sshd: auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke session sufficient/usr/local/lib/security/pam_krb5.so sessioninclude system-auth sessionrequired pam_loginuid.so Contents of /etc/ssh/sshd_config: Protocol 2 SyslogFacility AUTHPRIV ChallengeResponseAuthentication no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UsePrivilegeSeparation yes ShowPatchLevel no Subsystem sftp/usr/libexec/openssh/sftp-server Thanks, Jason --- Jason Edgecombe | Linux and Solaris Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-3514 jwedgeco@MYREALMmailto:jwedg...@uncc.edu | http://coe.MYREALMhttp://coe.uncc.edu/ | [Description: facebook-logo] https://www.facebook.com/UNCCEngr Facebookhttps://www.facebook.com/UNCCEngr --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514. Thank you. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Edgecombe, Jason jwedg...@uncc.edu writes: I have Russ Allbery's pam_krb5 and pam_afs_session modules working for console logins, but they fail for ssh logins (both password and kerberized). I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd). Disabling ssh privilege separation doesn't make a difference. Any help is appreciated. Platform: RHEL 5.6 x86_64 Here is the log from the password login: Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration The first thing that jumps out here is that apparently the auth functionality of pam-krb5 never ran. Either that, or debug wasn't enabled for auth, but the account group is also saying that the user didn't log on with Kerberos. Contents of /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authoptional pam_group.so authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 104 quiet authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass authrequired pam_deny.so Does the user's UNIX password match their Kerberos password? If so, then pam_unix will succeed and nothing subsequent to that will run, so no Kerberos authentication was ever performed. Here is the log from the kerberized login: This is a different problem. Mar 1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) This part is expected, I think. The account group for pam-krb5 only makes sense in combination with a password authentication. If you authenticate via GSS-API, sshd is responsible for doing the authorization check and there isn't anything for PAM to do. Mar 1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required pam_permit.so default=bad is mapping ignore to fail. You need to add ignore=ignore to your configuration for the pam_krb5 line. (You don't need user_unknown=ignore for my PAM module; it won't return user_unknown unless validation of a Kerberos login actually fails.) -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
On 03/01/2012 06:43 PM, Russ Allbery wrote: Edgecombe, Jasonjwedg...@uncc.edu writes: I have Russ Allbery's pam_krb5 and pam_afs_session modules working for console logins, but they fail for ssh logins (both password and kerberized). I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd). Disabling ssh privilege separation doesn't make a difference. Any help is appreciated. Platform: RHEL 5.6 x86_64 Here is the log from the password login: Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration The first thing that jumps out here is that apparently the auth functionality of pam-krb5 never ran. Either that, or debug wasn't enabled for auth, but the account group is also saying that the user didn't log on with Kerberos. Contents of /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authoptional pam_group.so authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid= 104 quiet authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass authrequired pam_deny.so Does the user's UNIX password match their Kerberos password? If so, then pam_unix will succeed and nothing subsequent to that will run, so no Kerberos authentication was ever performed. No, the local users are locked in the shadow file. The users have a * in the password field for the /etc/shadow file. I'm using nssdb for passwd and shadow file if that matters. Here is the log from the kerberized login: This is a different problem. Mar 1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) This part is expected, I think. The account group for pam-krb5 only makes sense in combination with a password authentication. If you authenticate via GSS-API, sshd is responsible for doing the authorization check and there isn't anything for PAM to do. Mar 1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required pam_permit.so default=bad is mapping ignore to fail. You need to add ignore=ignore to your configuration for the pam_krb5 line. (You don't need user_unknown=ignore for my PAM module; it won't return user_unknown unless validation of a Kerberos login actually fails.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Jason Edgecombe ja...@rampaginggeek.com writes: No, the local users are locked in the shadow file. The users have a * in the password field for the /etc/shadow file. I'm using nssdb for passwd and shadow file if that matters. If you lock users in /etc/shadow, pam_unix will reject all logins via whatever mechanism for those users. So you either have to arrange to bypass pam_unix entirely in PAM, or you need to not lock users and instead just give them invalid password entries. However, * isn't locking the account; ! is locking the account. At least on Debian; maybe pam_unix works differently on Red Hat? -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
On 03/01/2012 07:38 PM, Russ Allbery wrote: Jason Edgecombeja...@rampaginggeek.com writes: No, the local users are locked in the shadow file. The users have a * in the password field for the /etc/shadow file. I'm using nssdb for passwd and shadow file if that matters. If you lock users in /etc/shadow, pam_unix will reject all logins via whatever mechanism for those users. So you either have to arrange to bypass pam_unix entirely in PAM, or you need to not lock users and instead just give them invalid password entries. However, * isn't locking the account; ! is locking the account. At least on Debian; maybe pam_unix works differently on Red Hat? Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM logins work; only ssh is broken. I don't think that the password entries is a problem. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Jason Edgecombe ja...@rampaginggeek.com writes: On 03/01/2012 07:38 PM, Russ Allbery wrote: If you lock users in /etc/shadow, pam_unix will reject all logins via whatever mechanism for those users. So you either have to arrange to bypass pam_unix entirely in PAM, or you need to not lock users and instead just give them invalid password entries. However, * isn't locking the account; ! is locking the account. At least on Debian; maybe pam_unix works differently on Red Hat? Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM logins work; only ssh is broken. I don't think that the password entries is a problem. There are two things that are obviously failing given your logs: * pam-krb5 is not running at all during the authentication step. This obviously can't be a problem with pam-krb5. :) Something is wrong with the PAM configuration. * The account group in PAM is rejecting the login despite the fact that pam-krb5 is returning ignore. I'm pretty sure that adding the missing ignore=ignore directive will fix this. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos