Subject: | |
From: | |
Reply To: | |
Date: | Fri, 3 Feb 2006 13:27:01 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Doug,
I'm trying to figure out what your trying to do, just not quite sure.
Are you trying to log into a machine using your AFS password? a local
password? a kerberos password?
When you log in, are you expeting an AFS token? a kerberos5 ticket? a
kerberos4 ticket?
Also, does this work for a local user sitting down at the console?
openssh and kerberos has been a headache, so getting ssh out of the
picture clears up alot of things.
Troy
Douglas Fuller wrote:
> I'm also having trouble configuring PAM in an afs/krb5 environment using
> SL4.2. On Debian, I've used pam_krb5 and libpam-openafs-session for
> credentials cache/token setup, and I'm looking for similar functionality
> (though putting aklog in a startup script would be fine). Anyhow, I seem to
> be misunderstanding something.
>
> For now, I'm just trying to authenticate and end up with a credentials cache
> on login (I can kinit fine). What is strange is the pam_krb5 debug output
> given the setup below. The results are different based on whether the user
> gives an incorrect password on the first attempt. This seems to indicate
> something else is reading the password, since pam_krb5 does not appear to
> receive it from the first prompt (see notes below).
>
> Even when pam_krb5 does get a TGT, the session module can't find it. Thus,
> no credentials cache anyway. Is KRB5CCNAME not being propogated or
> something?
>
> TIA,
> --Doug Fuller
> --University of North Texas
>
> /etc/ssh/sshd_config:
> PasswordAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication no
> UsePrivilegeSeparation no
> UsePAM yes
>
> /etc/pam.d/sshd:
> auth required pam_krb5.so debug forwardable
> account required pam_unix.so
> password required pam_krb.5so
> session required pam_krb5.so forwardable
>
> Local passwords are disabled.
>
> When I log in, here is the output to /var/log/secure:
> sshd[30568]: Accepted keyboard-interactive/pam for from port 34025 ssh2 #
> <-- Who is this?
> sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID. So is this
> session output from pam_krb5?
> sshd[30568]: pam_krb5[30568]: flags: forwardable
> sshd[30568]: pam_krb5[30568]: flag: ignore_afs
> sshd[30568]: pam_krb5[30568]: flag: user_check
> sshd[30568]: pam_krb5[30568]: flag: krb4_convert
> sshd[30568]: pam_krb5[30568]: flag: warn
> sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
> sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
> sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
> sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
> sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
> sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
> sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
> sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
> sshd[30570]: pam_krb5[30570]: configured realm
> sshd[30570]: pam_krb5[30570]: flags: forwardable
> sshd[30570]: pam_krb5[30570]: flag: ignore_afs
> sshd[30570]: pam_krb5[30570]: flag: user_check
> sshd[30570]: pam_krb5[30570]: flag: krb4_convert
> sshd[30570]: pam_krb5[30570]: flag: warn
> sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
> sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
> sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
> sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
> sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
> sshd[30570]: pam_krb5[30570]: called to update credentials for
> sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)
>
> Here is the output when the user enters his password incorrectly on the
> first attempt:
>
> sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
> sshd[30685]: pam_krb5[30685]: configured realm
> sshd[30685]: pam_krb5[30685]: flags: forwardable
> sshd[30685]: pam_krb5[30685]: flag: ignore_afs
> sshd[30685]: pam_krb5[30685]: flag: user_check
> sshd[30685]: pam_krb5[30685]: flag: krb4_convert
> sshd[30685]: pam_krb5[30685]: flag: warn
> sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
> sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
> sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
> sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
> sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
> sshd[30685]: pam_krb5[30685]: called to authenticate
> sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt
> here
> sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by other
> modules
> sshd[30685]: pam_krb5[30685]: trying newly-entered password for
> sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
> sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt) returned
> 0 (Success)
> sshd[30685]: pam_krb5[30685]: got result 0 (Success)
> sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
> sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
> sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
> sshd[30685]: pam_krb5[30685]: conversion succeeded
> sshd[30685]: pam_krb5[30685]: authentication succeeds for
> sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
> sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
> sshd[30683]: pam_krb5[30683]: configured realm
> sshd[30683]: pam_krb5[30683]: flags: forwardable
> sshd[30683]: pam_krb5[30683]: flag: ignore_afs
> sshd[30683]: pam_krb5[30683]: flag: user_check
> sshd[30683]: pam_krb5[30683]: flag: krb4_convert
> sshd[30683]: pam_krb5[30683]: flag: warn
> sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
> sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
> sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
> sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
> sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
> sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
> sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
> sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
> sshd[30686]: pam_krb5[30686]: configured realm
> sshd[30686]: pam_krb5[30686]: flags: forwardable
> sshd[30686]: pam_krb5[30686]: flag: ignore_afs
> sshd[30686]: pam_krb5[30686]: flag: user_check
> sshd[30686]: pam_krb5[30686]: flag: krb4_convert
> sshd[30686]: pam_krb5[30686]: flag: warn
> sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
> sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
> sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
> sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
> sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
> sshd[30686]: pam_krb5[30686]: called to update credentials for
> sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|
|
|