Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

MIT Kerberos 5, PAM and OpenSSH problems
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Yev
n00b
n00b


Joined: 06 Jul 2005
Posts: 20
PostPosted: Mon Dec 12, 2005 5:01 pm    Post subject: MIT Kerberos 5, PAM and OpenSSH problems Reply with quote
Hi,

I have 2 servers set with mit-kerberos 5. One master and one slave, they both work fine and i get forwardable TGTs using kinit.

I am trying to set authentication through PAM, as a first try I'm trying to config OpenSSH to use PAM.
I changed only the file /etc/pam.d/system-auth on server2 to the following:
Code:

#%PAM-1.0

auth       sufficient   pam_krb5.so use_first_pass forwardable ccache=%u debug
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_krb5.so
account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_krb5.so use_authok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_krb5.so


I logon to server1 and run:
Code:

server1# kinit -f root
server1# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@DOMAIN.COM

Valid starting     Expires            Service principal
12/12/05 19:02:59  12/12/05 19:12:59  krbtgt/DOMAIN.COM@DOMAIN.COM
        Flags: FPI

Then i connect to server2 using ssh:
Code:

server1# ssh root@server2
Password for root@DOMAIN.COM:

This is the first problem, the ticket is not forwarded to server2 and i'm asked for password again.

The second problem is that when i logon to server2 with ssh i dont get the ticket stored in the cache.
Code:

server2# klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Here is what i get in the syslog:
Code:

server2 sshd[8970]: pam_krb5: pam_sm_authenticate(sshd root): entry:
server2 sshd[8970]: pam_krb5: pam_sm_authenticate(sshd root): exit: success
server2 sshd[8965]: Accepted keyboard-interactive/pam for root from 10.0.0.1 port 45425 ssh2
server2 sshd[8965]: pam_krb5: pam_sm_setcred(sshd root): entry:
server2 sshd[8965]: pam_krb5: pam_sm_setcred(sshd root): pam_get_data(): No module specific data is present
server2 sshd[8965]: pam_krb5: pam_sm_setcred(sshd root): exit: failure
server2 sshd(pam_unix)[8971]: session opened for user root by root(uid=0)


I use versions:
  • mit-krb5 -- 1.4.1-r2
  • pam_krb5 -- 1.0-r1
  • openssh -- 4.2_p1


I googled for about 4 or 5 hours and got nothing. If anyone can help, please do :)

Thanks,
_________________
Yev
Back to top
View user's profile Send private message
andy753421
n00b
n00b


Joined: 10 Dec 2004
Posts: 17
PostPosted: Mon Dec 18, 2006 8:40 am    Post subject: Reply with quote
(bringing up a dead post)

I'm having the same problem, has anyone been able to figure this out yet? I tried the 2003 snapshot of pam_krb5 as well but I couldn't log in at all using that
Back to top
View user's profile Send private message
mattsk
n00b
n00b


Joined: 11 Apr 2003
Posts: 46
Location: Newcastle, Australia
PostPosted: Wed Mar 07, 2007 6:56 am    Post subject: Reply with quote
Well firstly you have to make sure that you have the following in your /etc/ssh/sshd_config file
Code:
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


and the following in your /etc/ssh/ssh_config file
Code:
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes


That will tell the ssh server to allow kerberos credentials in authentication and allow credentials to be delegated (ie sent over to the server for use in your new logon) ,and will tell the client to attempt to do both of these things.

With the 2003 version of the pam-krb5 I am yet to be able to logon via ssh using kerberos. Use the 1.0-r1 if you want to use ssh. If anybody knows how to get the 2003 version to allow ssh to work, I'd be very happy to hear it. Unfortunately teh 1.0-r1 version doesn' twork for changing passwords via the passwd program :( If somebody knows how to fix that I'd be very happy too. Has anybody tried the 2.2.6 ebuild?
_________________
-- Matt Sk (etc)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy