Russ Allbery [EMAIL PROTECTED] writes:
Looks like that was the secret. The problem is with
ChallengeResponseAuthentication; if you turn it on, the module fails,
and if you turn it off, it works.
I'll try to figure out what's going on and fix this.
I have a patch for this, but I'm giving
reassign 339734 libpam-krb5
severity 339734 serious
retitle 339734 libpam-krb5: ChallengeResponse with openssh-server fails
thanks
Marcus Better [EMAIL PROTECTED] writes:
[EMAIL PROTECTED]'s password:
Why does it say that? I get only Password:. I have the same version of
libpam-krb5 and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Is there something unusual in your configuration?
I don't think so.
I use Heimdal, perhaps that's a difference? And I have the user accounts
in LDAP (but the passwords managed by Kerberos, outside of LDAP).
Permissions on /tmp for ticket caches?
Marcus Better [EMAIL PROTECTED] writes:
Here it is:
Nov 23 10:06:37 myhost sshd[18820]: (pam_krb5): none:
pam_sm_authenticate: entry
Nov 23 10:06:39 myhost sshd[18820]: (pam_krb5): marcus:
pam_sm_authenticate: exit (success)
Nov 23 10:06:39 myhost sshd[18818]: Accepted
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Russ Allbery wrote:
Hm. That looks okay. Could you add debug to the end of the two
pam_krb5.so lines and then send me the resulting log output from syslog
Here it is:
Nov 23 10:06:37 myhost sshd[18820]: (pam_krb5): none:
pam_sm_authenticate:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Could you send the contents of your /etc/pam.d/common-auth and
/etc/pam.d/common-session files?
/etc/pam.d/common-auth:
-
auth sufficient pam_krb5.so ignore_root
auth requiredpam_unix.so try_first_pass nullok_secure
-
Marcus Better [EMAIL PROTECTED] writes:
/etc/pam.d/common-auth:
auth sufficient pam_krb5.so ignore_root
auth requiredpam_unix.so try_first_pass nullok_secure
/etc/pam.d/common-session:
session optional pam_krb5.so ignore_root
session
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
libpam-krb5 1.2.0-1 has been uploaded. Let me know if that fixes the
problem for you when you get a chance to try it.
No, I still don't get it does not fix it. I have tried both with and
without privilege separation.
-BEGIN PGP SIGNATURE-
Marcus Better [EMAIL PROTECTED] writes:
libpam-krb5 1.2.0-1 has been uploaded. Let me know if that fixes the
problem for you when you get a chance to try it.
No, I still don't get it does not fix it. I have tried both with and
without privilege separation.
Could you send the contents of
Package: openssh-server
Version: 1:4.2p1-5
Severity: normal
I use OpenSSH with PAM authentication (UsePAM yes) and the pam_krb5
module. When I log in with SSH, the server correctly checks the
password agains Kerberos, but the ticket is not saved, so I have to do
kinit and authenticate again.
marcus [EMAIL PROTECTED] writes:
Package: openssh-server
Version: 1:4.2p1-5
Severity: normal
I use OpenSSH with PAM authentication (UsePAM yes) and the pam_krb5
module. When I log in with SSH, the server correctly checks the
password agains Kerberos, but the ticket is not saved, so I have
Russ Allbery [EMAIL PROTECTED] writes:
I think this is actually a bug in libpam-krb5, not in openssh. I'm
about to upload a new libpam-krb5 package that works for me (with PAM
and with privilege separation). Give that a try when it gets into the
archive and see if it works for you.
12 matches
Mail list logo