[OpenAFS-devel] Need an idea on a pam-problem

Mathias Feiler feiler@uni-hohenheim.de
Thu, 11 Jul 2013 17:07:02 +0200 

Hello

I just (post-)installed ubuntu 12.04 as usual - but got an unusual problem:

Well, I can kinit w/o any trouble and even get my AFS-token
thus I expect heimdal itself to be some how ok.
However when trying  ssh (using PAM) I face this:

------------------8<--------------8<-------------------
~#> tail -5 /var/log/auth.log
Jul 11 15:36:21 linix3 sshd[2166]: Connection closed by 144.41.11.220 
[preauth]
Jul 11 16:07:42 linix3 sshd[2266]: pam_krb5(sshd:auth): (user feiler) 
credential verification failed: encryption key has bad length
Jul 11 16:07:42 linix3 sshd[2266]: pam_krb5(sshd:auth): authentication 
failure; logname=feiler uid=0 euid=0 tty=ssh ruser= 
rhost=maren3.rz.uni-hohenheim.de
Jul 11 16:07:42 linix3 sshd[2266]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=maren3.rz.uni-hohenheim.de  user=feiler
Jul 11 16:07:45 linix3 sshd[2266]: Failed password for feiler from 
144.41.11.220 port 57593 ssh2
~#>
------------------8<--------------8<-------------------
Well, I'm sure, the password *is* correct.
The failing pam-module '/lib/x86_64-linux-gnu/security/pam_krb5.so'
comes with the packet 'libpam-heimdal'.

I have actually no idea what the term
   "credential verification failed: encryption key has bad length"
wants to tell me , nor where to look for some causing oddities.

Does anyone else got an Idea?  Any hint is very welcome.


Best regards


Mathias Feiler


PS:
Below You can see my
* keytab ,
* pam-config (which I personly never touched)
* krb5.conf

------------------8<--------------8<-------------------
~#> ktutil list
FILE:/etc/krb5.keytab:

Vno  Type Principal                                         Aliases
   1  aes256-cts-hmac-sha1-96 
host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
   1  arcfour-hmac-md5 host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
   1  des3-cbc-sha1 host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
   1  des-cbc-md5 host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
   1  des-cbc-md4 host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
   1  des-cbc-crc host/linix3.rz.uni-hohenheim.de@UNI-HOHENHEIM.DE
~#>
------------------8<--------------8<-------------------

------------------8<--------------8<-------------------
~#> cat /etc/pam.d/common-auth
....

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_afs_session.so
auth    optional                        pam_cap.so
# end of pam-auth-update config


~#> cat /etc/pam.d/common-session
....
# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote 
sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session optional                        pam_afs_session.so
session optional                        pam_ck_connector.so nox11
------------------8<--------------8<-------------------

------------------8<--------------8<-------------------
~#> cat /etc/krb5.conf
# This is /etc/krb5.conf ready for Heimdal used at uni Hohenheim
[appdefaults]
         forwardable = true
         pam = {
             minimum_uid = 4000
             UNI-HOHENHEIM.DE = {
                 ignore_k5login = true
             }
         }
[libdefaults]
         allow_week_crypto = yes
         # allow_week_crypto = true
         default_realm = UNI-HOHENHEIM.DE
         ticket_lifetime = 12h
         renew_lifetime  = 168h
         v4_instance_resolve = false
         fcc-mit-ticketflags = true
[realms]
         UNI-HOHENHEIM.DE = {
                 kdc = 144.41.5.160
                 kdc = 144.41.5.161
                 kdc = 144.41.5.162
                 admin_server = 144.41.5.160
                 default_domain = uni-hohenheim.de
         }
          .....
[domain_realm]
         .uni-hohenheim.de = UNI-HOHENHEIM.DE
         uni-hohenheim.de  = UNI-HOHENHEIM.DE
         .....
[login]
         krb4_convert = true
         krb4_get_tickets = true
------------------8<--------------8<-------------------

-- 
Mathias Feiler  - Universitaet Hohenheim
Kommunikations-, Informations- und Medienzentrum (630)
IT-Dienste  | Abt. IT-Infrastruktur (ITI)
Raum 04.24/227 Schloss Westhof-Sued | 70599 Stuttgart
Tel. + 49 711 459 23949 | Fax + 49 711 459 23449