[OpenAFS] trouble with pam_krb5
Christopher Allen Wing
wingc@engin.umich.edu
Fri, 15 Jul 2005 12:24:42 -0400 (EDT)
On Fri, 15 Jul 2005, Kurt Seiffert wrote:
> The only think I did for the sshd was to turn off PubKey authentication and
> turn on PAM authentication.
PAM is enabled by default, and pubkey shouldn't make a difference.
Is this the standard sshd that comes with RHEL4, or your own?
The interaction between OpenSSH's 'privilege separation', PAM, and SELinux
can be somewhat interesting.
In fact, it looks like that's your problem.
Note that in your debugging log the first messages from sshd come from pid
15636:
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying previously-entered password for 'seiffert'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating 'seiffert@RFSTEST.IU.EDU' to 'krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: krb5_get_init_creds_password(krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU) returned 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4- compatible key
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtained des- cbc-crc v5 creds
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5 creds to v4 creds (etype = 1)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: conversion succeeded
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authentication succeeds for 'seiffert' (seiffert@RFSTEST.IU.EDU)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: pam_authenticate returning 0 (Success)
This is from the "auth" stage of PAM.
Now look at the next set of messages, from the "session" stage of PAM:
> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for user seiffert by (uid=0)
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: configured realm 'RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flags: not forwardable
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no ignore_afs
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: user_check
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no krb4_convert
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: renewable lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: banner: Kerberos 5
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ccache dir: /tmp
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: keytab: /etc/ krb5.keytab
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds for user 'seiffert', skipping session setup
The pam module is now running in a different process, so it doesn't have
access to the krb5 creds. (which were stored in the memory image of
process 15636)
That's why it fails for you.
We're using sshd from the 'openssh-server-3.9p1-8.RHEL4.1' RPM, and the
standard /etc/ssh/sshd config files.
It works for us on i386 and x86_64.
What are you using?
-Chris
wingc@engin.umich.edu