LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: opensssh + pam_krb5
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Tue, 28 Oct 2008 10:57:22 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (129 lines)

Ahh ... the old log in with the password and not via kerberos tickets, and 
don't get the credentials problem.  Yes, I remember that one.
Unfortunatly, I don't remember if it was resolved ... but I'm pretty sure there 
is a buzilla about this.  But right at the moment, I'm pretty swamped and am 
not able to find it.
Troy

Felix Engel wrote:
> Hi Troy,
> 
> On Tue, Oct 28, 2008 at 09:12:24AM -0500, Troy Dawson wrote:
>> Hi,
>> You never said which version of SL, openssh, or pam_krb5.
> Sorry about that, I was at that point only asking for a comment on the
> openssh bug. Anyway, here is the detailed information:
> 
> 
> Scientific Linux SL release 5.0 (Boron)
> Linux maximus 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 12:38:37 EDT 2008
> x86_64 x86_64 x86_64 GNU/Linux
> openssh-server.x86_64                    4.3p2-26.el5_2.1
> openssh.x86_64                           4.3p2-26.el5_2.1
> openssh-clients.x86_64                   4.3p2-26.el5_2.1
> pam_krb5.i386                            2.2.14-1.el5_2.1
> pam_krb5.x86_64                          2.2.14-1.el5_2.1
> 
>> For us, the problem is usually on the client, because by default, it does 
>> not delegate credentials.  So in /etc/ssh/ssh_config you have to set
>>   GSSAPIDelegateCredentials yes
> 
> The client machine is a debian etch which is not part of the kerberos
> realm. It uses openssh-4.3p2-9etch3. Since it does not have
> credentials, the user logs in to the SL5 server using his username and
> password, which should trigger pam_krb5 and obtain credentials. To do
> this we have set 
>     PasswordAuthentication no
>     UsePAM yes
> /etc/ssh/sshd_config on the server.
> 
> Logging on works, however the credentials are not cached.  As long as
> the users logs in via another method (ususally gdm) first, the
> credentials are correctly forwarded via ssh and they are available. 
> 
> Kind regards,
>     Felix
> 
> 
> ------- SNIP Log file extracts below -----
> /var/log/messages:
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authentication succeeds for 'engel' ([log in to unmask])
> Oct 28 16:25:48 maximus sshd[3406]: Accepted keyboard-interactive/pam for engel from 137.226.90.33 port 45550 ssh2
> 
> 
> /var/log/syslog:
> Oct 28 16:25:48 maximus sshd[3408]: pam_unix(sshd:auth): authentication failure;
>  logname= uid=0 euid=0 tty=ssh ruser= rhost=angelus.iss.rwth-aachen.de  user=engel
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: configured realm 'ISS.RWTH-A
> ACHEN.DE'
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flags: forwardable
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no ignore_afs
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: user_check
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no krb4_convert
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_convert_524
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: krb4_use_as_req
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will try previously set pass
> word first
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: will let libkrb5 ask questio
> ns
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no use_shmem
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: flag: no external
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ticket lifetime: 0
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: renewable lifetime: 0
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: banner: Kerberos 5
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: ccache dir: /tmp
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: keytab: FILE:/etc/krb5.keyta
> b
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: called to authenticate 'enge
> l', realm 'ISS.RWTH-AACHEN.DE'
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
> TH-AACHEN.DE'
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: trying previously-entered pa
> ssword for 'engel', allowing libkrb5 to prompt for more
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: authenticating [log in to unmask]
> TH-AACHEN.DE' to [log in to unmask]
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: krb5_get_init_creds_password
> ([log in to unmask]) returned 0 (Success)
> Oct 28 16:25:48 maximus sshd[3408]: pam_krb5[3408]: got result 0 (Success)
> [...failing attempt to obtain v4 credentials...]
> [...pam account services ...]
> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
> ice "sshd"
> Oct 28 16:25:48 maximus sshd[3409]: pam_unix(sshd:session): session opened for u
> ser engel by (uid=0)
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: configured realm 'ISS.RWTH-A
> ACHEN.DE'
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flags: forwardable
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no ignore_afs
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: user_check
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no krb4_convert
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_convert_524
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: krb4_use_as_req
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will try previously set pass
> word first
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will ask for a password if t
> hat fails
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: will let libkrb5 ask questio
> ns
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no use_shmem
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: flag: no external
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ticket lifetime: 0
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: renewable lifetime: 0
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: banner: Kerberos 5
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: ccache dir: /tmp
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: keytab: FILE:/etc/krb5.keyta
> b
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: no v5 creds for user 'engel'
> , skipping session setup
> Oct 28 16:25:48 maximus sshd[3409]: pam_krb5[3409]: pam_open_session returning 0
>  (Success)
> Oct 28 16:25:48 maximus sshd[3409]: Deprecated pam_stack module called from serv
> ice "sshd"


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV