Hi Troy,

On Tue, Oct 28, 2008 at 09:12:24AM -0500, Troy Dawson wrote:
> Hi,
> You never said which version of SL, openssh, or pam_krb5.
Sorry about that, I was at that point only asking for a comment on the
openssh bug. Anyway, here is the detailed information:


Scientific Linux SL release 5.0 (Boron)
Linux maximus 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 12:38:37 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
openssh-server.x86_64                    4.3p2-26.el5_2.1
openssh.x86_64                           4.3p2-26.el5_2.1
openssh-clients.x86_64                   4.3p2-26.el5_2.1
pam_krb5.i386                            2.2.14-1.el5_2.1
pam_krb5.x86_64                          2.2.14-1.el5_2.1

> For us, the problem is usually on the client, because by default, it does 
> not delegate credentials.  So in /etc/ssh/ssh_config you have to set
>   GSSAPIDelegateCredentials yes

The client machine is a debian etch which is not part of the kerberos
realm. It uses openssh-4.3p2-9etch3. Since it does not have
credentials, the user logs in to the SL5 server using his username and
password, which should trigger pam_krb5 and obtain credentials. To do
this we have set 
    PasswordAuthentication no
    UsePAM yes
/etc/ssh/sshd_config on the server.

Logging on works, however the credentials are not cached.  As long as
the users logs in via another method (ususally gdm) first, the
credentials are correctly forwarded via ssh and they are available. 

Kind regards,
    Felix


------- SNIP Log file extracts below -----
/var/log/messages:
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authentication succeeds for 'engel' ([log in to unmask])
Oct 28 16:25:48 maximus sshd[3406]: Accepted keyboard-interactive/pam for engel from 137.226.90.33 port 45550 ssh2


/var/log/syslog:
Oct 28 16:25:48 maximus sshd[3408]: pam_unix(sshd:auth): authentication failure;
 logname= uid=0 euid=0 tty=ssh ruser= rhost=angelus.iss.rwth-aachen.de  user=engel
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: configured realm 'ISS.RWTH-A
ACHEN.DE'
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flags: forwardable
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no ignore_afs
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: user_check
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no krb4_convert
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_convert_524
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_use_as_req
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will try previously set pass
word first
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will let libkrb5 ask questio
ns
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no use_shmem
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no external
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ticket lifetime: 0
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: renewable lifetime: 0
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: banner: Kerberos 5
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ccache dir: /tmp
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: keytab: FILE:/etc/krb5.keyta
b
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: called to authenticate 'enge
l', realm 'ISS.RWTH-AACHEN.DE'
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
TH-AACHEN.DE'
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: trying previously-entered pa
ssword for 'engel', allowing libkrb5 to prompt for more
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
TH-AACHEN.DE' to [log in to unmask]
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: krb5_get_init_creds_password
([log in to unmask]) returned 0 (Success)
Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: got result 0 (Success)
[...failing attempt to obtain v4 credentials...]
[...pam account services ...]
Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
ice "sshd"
Oct 28 16:25:48 maximus sshd[3409]: pam_unix(sshd:session): session opened for u
ser engel by (uid=0)
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: configured realm 'ISS.RWTH-A
ACHEN.DE'
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flags: forwardable
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no ignore_afs
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: user_check
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no krb4_convert
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_convert_524
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_use_as_req
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will try previously set pass
word first
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will ask for a password if t
hat fails
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will let libkrb5 ask questio
ns
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no use_shmem
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no external
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ticket lifetime: 0
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: renewable lifetime: 0
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: banner: Kerberos 5
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ccache dir: /tmp
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: keytab: FILE:/etc/krb5.keyta
b
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: no v5 creds for user 'engel'
, skipping session setup
Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: pam_open_session returning 0
 (Success)
Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
ice "sshd"