Subject: | |
From: | |
Reply To: | |
Date: | Fri, 3 Feb 2006 12:29:00 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
I'm also having trouble configuring PAM in an afs/krb5 environment using
SL4.2. On Debian, I've used pam_krb5 and libpam-openafs-session for
credentials cache/token setup, and I'm looking for similar functionality
(though putting aklog in a startup script would be fine). Anyhow, I seem to
be misunderstanding something.
For now, I'm just trying to authenticate and end up with a credentials cache
on login (I can kinit fine). What is strange is the pam_krb5 debug output
given the setup below. The results are different based on whether the user
gives an incorrect password on the first attempt. This seems to indicate
something else is reading the password, since pam_krb5 does not appear to
receive it from the first prompt (see notes below).
Even when pam_krb5 does get a TGT, the session module can't find it. Thus,
no credentials cache anyway. Is KRB5CCNAME not being propogated or
something?
TIA,
--Doug Fuller
--University of North Texas
/etc/ssh/sshd_config:
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePrivilegeSeparation no
UsePAM yes
/etc/pam.d/sshd:
auth required pam_krb5.so debug forwardable
account required pam_unix.so
password required pam_krb.5so
session required pam_krb5.so forwardable
Local passwords are disabled.
When I log in, here is the output to /var/log/secure:
sshd[30568]: Accepted keyboard-interactive/pam for from port 34025 ssh2 #
<-- Who is this?
sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID. So is this
session output from pam_krb5?
sshd[30568]: pam_krb5[30568]: flags: forwardable
sshd[30568]: pam_krb5[30568]: flag: ignore_afs
sshd[30568]: pam_krb5[30568]: flag: user_check
sshd[30568]: pam_krb5[30568]: flag: krb4_convert
sshd[30568]: pam_krb5[30568]: flag: warn
sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
sshd[30570]: pam_krb5[30570]: configured realm
sshd[30570]: pam_krb5[30570]: flags: forwardable
sshd[30570]: pam_krb5[30570]: flag: ignore_afs
sshd[30570]: pam_krb5[30570]: flag: user_check
sshd[30570]: pam_krb5[30570]: flag: krb4_convert
sshd[30570]: pam_krb5[30570]: flag: warn
sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
sshd[30570]: pam_krb5[30570]: called to update credentials for
sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)
Here is the output when the user enters his password incorrectly on the
first attempt:
sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
sshd[30685]: pam_krb5[30685]: configured realm
sshd[30685]: pam_krb5[30685]: flags: forwardable
sshd[30685]: pam_krb5[30685]: flag: ignore_afs
sshd[30685]: pam_krb5[30685]: flag: user_check
sshd[30685]: pam_krb5[30685]: flag: krb4_convert
sshd[30685]: pam_krb5[30685]: flag: warn
sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
sshd[30685]: pam_krb5[30685]: called to authenticate
sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt
here
sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by other
modules
sshd[30685]: pam_krb5[30685]: trying newly-entered password for
sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt) returned
0 (Success)
sshd[30685]: pam_krb5[30685]: got result 0 (Success)
sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
sshd[30685]: pam_krb5[30685]: conversion succeeded
sshd[30685]: pam_krb5[30685]: authentication succeeds for
sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
sshd[30683]: pam_krb5[30683]: configured realm
sshd[30683]: pam_krb5[30683]: flags: forwardable
sshd[30683]: pam_krb5[30683]: flag: ignore_afs
sshd[30683]: pam_krb5[30683]: flag: user_check
sshd[30683]: pam_krb5[30683]: flag: krb4_convert
sshd[30683]: pam_krb5[30683]: flag: warn
sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
sshd[30686]: pam_krb5[30686]: configured realm
sshd[30686]: pam_krb5[30686]: flags: forwardable
sshd[30686]: pam_krb5[30686]: flag: ignore_afs
sshd[30686]: pam_krb5[30686]: flag: user_check
sshd[30686]: pam_krb5[30686]: flag: krb4_convert
sshd[30686]: pam_krb5[30686]: flag: warn
sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
sshd[30686]: pam_krb5[30686]: called to update credentials for
sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)
|
|
|