LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Pam_krb5 and afs
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Fri, 3 Feb 2006 13:27:01 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (151 lines)
Hi Doug,
I'm trying to figure out what your trying to do, just not quite sure.

Are you trying to log into a machine using your AFS password?  a local 
password?  a kerberos password?

When you log in, are you expeting an AFS token?  a kerberos5 ticket? a 
kerberos4 ticket?

Also, does this work for a local user sitting down at the console? 
openssh and kerberos has been a headache, so getting ssh out of the 
picture clears up alot of things.

Troy

Douglas Fuller wrote:
> I'm also having trouble configuring PAM in an afs/krb5 environment using 
> SL4.2.  On Debian, I've used pam_krb5 and libpam-openafs-session for 
> credentials cache/token setup, and I'm looking for similar functionality 
> (though putting aklog in a startup script would be fine).  Anyhow, I seem to 
> be misunderstanding something.
> 
> For now, I'm just trying to authenticate and end up with a credentials cache 
> on login (I can kinit fine).  What is strange is the pam_krb5 debug output 
> given the setup below.  The results are different based on whether the user 
> gives an incorrect password on the first attempt.  This seems to indicate 
> something else is reading the password, since pam_krb5 does not appear to 
> receive it from the first prompt (see notes below).
> 
> Even when pam_krb5 does get a TGT, the session module can't find it.  Thus, 
> no credentials cache anyway.  Is KRB5CCNAME not being propogated or 
> something?
> 
> TIA,
> --Doug Fuller
> --University of North Texas
> 
> /etc/ssh/sshd_config:
> PasswordAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication no
> UsePrivilegeSeparation no
> UsePAM yes
> 
> /etc/pam.d/sshd:
> auth     required pam_krb5.so debug forwardable
> account  required pam_unix.so
> password required pam_krb.5so
> session  required pam_krb5.so forwardable
> 
> Local passwords are disabled.
> 
> When I log in, here is the output to /var/log/secure:
> sshd[30568]: Accepted keyboard-interactive/pam for from  port 34025 ssh2 # 
> <-- Who is this?
> sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID.  So is this 
> session output from pam_krb5?
> sshd[30568]: pam_krb5[30568]: flags: forwardable
> sshd[30568]: pam_krb5[30568]: flag: ignore_afs
> sshd[30568]: pam_krb5[30568]: flag: user_check
> sshd[30568]: pam_krb5[30568]: flag: krb4_convert
> sshd[30568]: pam_krb5[30568]: flag: warn
> sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
> sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
> sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
> sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
> sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
> sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
> sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
> sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
> sshd[30570]: pam_krb5[30570]: configured realm
> sshd[30570]: pam_krb5[30570]: flags: forwardable
> sshd[30570]: pam_krb5[30570]: flag: ignore_afs
> sshd[30570]: pam_krb5[30570]: flag: user_check
> sshd[30570]: pam_krb5[30570]: flag: krb4_convert
> sshd[30570]: pam_krb5[30570]: flag: warn
> sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
> sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
> sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
> sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
> sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
> sshd[30570]: pam_krb5[30570]: called to update credentials for
> sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)
> 
> Here is the output when the user enters his password incorrectly on the 
> first attempt:
> 
> sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
> sshd[30685]: pam_krb5[30685]: configured realm
> sshd[30685]: pam_krb5[30685]: flags: forwardable
> sshd[30685]: pam_krb5[30685]: flag: ignore_afs
> sshd[30685]: pam_krb5[30685]: flag: user_check
> sshd[30685]: pam_krb5[30685]: flag: krb4_convert
> sshd[30685]: pam_krb5[30685]: flag: warn
> sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
> sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
> sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
> sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
> sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
> sshd[30685]: pam_krb5[30685]: called to authenticate
> sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt 
> here
> sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by other 
> modules
> sshd[30685]: pam_krb5[30685]: trying newly-entered password for
> sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
> sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt) returned 
> 0 (Success)
> sshd[30685]: pam_krb5[30685]: got result 0 (Success)
> sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
> sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
> sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
> sshd[30685]: pam_krb5[30685]: conversion succeeded
> sshd[30685]: pam_krb5[30685]: authentication succeeds  for
> sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
> sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
> sshd[30683]: pam_krb5[30683]: configured realm
> sshd[30683]: pam_krb5[30683]: flags: forwardable
> sshd[30683]: pam_krb5[30683]: flag: ignore_afs
> sshd[30683]: pam_krb5[30683]: flag: user_check
> sshd[30683]: pam_krb5[30683]: flag: krb4_convert
> sshd[30683]: pam_krb5[30683]: flag: warn
> sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
> sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
> sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
> sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
> sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
> sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
> sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
> sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
> sshd[30686]: pam_krb5[30686]: configured realm
> sshd[30686]: pam_krb5[30686]: flags: forwardable
> sshd[30686]: pam_krb5[30686]: flag: ignore_afs
> sshd[30686]: pam_krb5[30686]: flag: user_check
> sshd[30686]: pam_krb5[30686]: flag: krb4_convert
> sshd[30686]: pam_krb5[30686]: flag: warn
> sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
> sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
> sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
> sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
> sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
> sshd[30686]: pam_krb5[30686]: called to update credentials for
> sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV