[OpenAFS] trouble with pam_krb5
Kurt Seiffert
seiffert@indiana.edu
Mon, 18 Jul 2005 10:07:00 -0500
--Apple-Mail-35--489383514
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
We are running the package 'openssh-server-3.9p1-8.RHEL4.4'. My man
pages for sshd_config indicates that UsePAM is off by default. I
turned off the pubkey, because I had been using a pub/priv key, but
that seemed to cause ssh to skip completely the kerberos authentication.
I'm using this on i386. Thanks for the observation about the
difference between the auth and session messages. Not sure where to
go with that, but it is interesting.
The basic problem still seems to be that the kerberos tickets are not
getting written to the cache so that subsequent processes have access
to them.
Thanks again for the help.
-KAS
Kurt A. Seiffert | seiffert@indiana.edu
UITS Distributed Storage Services Group | C: 812-345-1892
Indiana University, Bloomington | W: 1 812-855-5089
On Jul 15, 2005, at 11:24 AM, Christopher Allen Wing wrote:
> On Fri, 15 Jul 2005, Kurt Seiffert wrote:
>
>
>> The only think I did for the sshd was to turn off PubKey
>> authentication and turn on PAM authentication.
>>
>
> PAM is enabled by default, and pubkey shouldn't make a difference.
>
>
> Is this the standard sshd that comes with RHEL4, or your own?
>
> The interaction between OpenSSH's 'privilege separation', PAM, and
> SELinux can be somewhat interesting.
>
>
>
> In fact, it looks like that's your problem.
>
>
> Note that in your debugging log the first messages from sshd come
> from pid 15636:
>
>
>
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying
>> previously-entered password for 'seiffert'
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
>> authenticating 'seiffert@RFSTEST.IU.EDU' to 'krbtgt/
>> RFSTEST.IU.EDU@RFSTEST.IU.EDU'
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
>> krb5_get_init_creds_password(krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU)
>> returned 0 (Success)
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0
>> (Success)
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4-
>> compatible key
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtained des-
>> cbc-crc v5 creds
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5
>> creds to v4 creds (etype = 1)
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: conversion
>> succeeded
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
>> authentication succeeds for 'seiffert' (seiffert@RFSTEST.IU.EDU)
>> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
>> pam_authenticate returning 0 (Success)
>>
>
> This is from the "auth" stage of PAM.
>
>
> Now look at the next set of messages, from the "session" stage of PAM:
>
>
>
>> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for
>> user seiffert by (uid=0)
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: configured
>> realm 'RFSTEST.IU.EDU'
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flags: not
>> forwardable
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no
>> ignore_afs
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: user_check
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no
>> krb4_convert
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket
>> lifetime: 36000
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: renewable
>> lifetime: 36000
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: banner:
>> Kerberos 5
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ccache dir: /tmp
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: keytab: /etc/
>> krb5.keytab
>> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds
>> for user 'seiffert', skipping session setup
>>
>
>
>
> The pam module is now running in a different process, so it doesn't
> have access to the krb5 creds. (which were stored in the memory
> image of process 15636)
>
> That's why it fails for you.
>
>
>
>
> We're using sshd from the 'openssh-server-3.9p1-8.RHEL4.1' RPM, and
> the standard /etc/ssh/sshd config files.
>
> It works for us on i386 and x86_64.
>
> What are you using?
>
>
> -Chris
> wingc@engin.umich.edu
>
--Apple-Mail-35--489383514
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">We are running the package =
'openssh-server-3.9p1-8.RHEL4.4'.=A0 My man pages for sshd_config =
indicates that UsePAM is off by default. I turned off the pubkey, =
because I had been using a pub/priv key, but that seemed to cause ssh to =
skip completely the kerberos authentication.=A0<DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>I'm using this on i386. =
Thanks for the observation about the difference between the auth and =
session messages. Not sure where to go with that, but it is =
interesting.=A0</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>The basic problem still =
seems to be that the kerberos tickets are not getting written to the =
cache so that subsequent processes have access to them.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Thanks again for the =
help.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-KAS<BR><DIV> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; =
min-height: 14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Kurt A. Seiffert<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </SPAN>| <A =
href=3D"mailto:seiffert@indiana.edu">seiffert@indiana.edu</A></FONT></P> =
<P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">UITS Distributed Storage =
Services Group | C: 812-345-1892</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">Indiana University, Bloomington <SPAN =
class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 </SPAN>| W: 1 =
812-855-5089<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0</SPAN></FONT></P> </DIV><BR><DIV><DIV>On Jul 15, 2005, at 11:24 AM, =
Christopher Allen Wing wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">On Fri, 15 Jul 2005, Kurt Seiffert wrote:</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV> <BR><BLOCKQUOTE =
type=3D"cite"><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">The only think I did for the =
sshd was to turn off PubKey authentication and turn on PAM =
authentication.</DIV> <BR></BLOCKQUOTE><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">PAM is enabled by default, and =
pubkey shouldn't make a difference.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Is this the standard sshd that comes with RHEL4, or =
your own?</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">The interaction between OpenSSH's 'privilege =
separation', PAM, and SELinux can be somewhat interesting.</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">In fact, it looks like that's =
your problem.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Note =
that in your debugging log the first messages from sshd come from pid =
15636:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV> <BR><BLOCKQUOTE =
type=3D"cite"><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: trying previously-entered password for =
'seiffert'</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: authenticating '<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>' to =
'krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>'</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: krb5_get_init_creds_password(krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>) returned 0 (Success)</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0 =
(Success)</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: obtaining v4- compatible key</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
obtained des- cbc-crc v5 creds</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5 creds to v4 =
creds (etype =3D 1)</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: conversion succeeded</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
authentication succeeds for 'seiffert' (<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>)</DIV>=
<DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
pam_authenticate returning 0 (Success)</DIV> <BR></BLOCKQUOTE><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">This is =
from the "auth" stage of PAM.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Now look at the next set of messages, from the =
"session" stage of PAM:</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> =
<BR><BLOCKQUOTE type=3D"cite"><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 =
15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for user seiffert =
by (uid=3D0)</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: configured realm =
'RFSTEST.IU.EDU'</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flags: not forwardable</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
flag: no ignore_afs</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flag: user_check</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
flag: no krb4_convert</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flag: warn</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket lifetime: =
36000</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: renewable lifetime: 36000</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
banner: Kerberos 5</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: ccache dir: /tmp</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
keytab: /etc/ krb5.keytab</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds for user =
'seiffert', skipping session setup</DIV> <BR></BLOCKQUOTE><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">The pam module is now running in =
a different process, so it doesn't have access to the krb5 creds. (which =
were stored in the memory image of process 15636)</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">That's =
why it fails for you.</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; =
"><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">We're using =
sshd from the 'openssh-server-3.9p1-8.RHEL4.1' RPM, and the standard =
/etc/ssh/sshd config files.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">It works for us on i386 and =
x86_64.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">What are you using?</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">-Chris</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><A =
href=3D"mailto:wingc@engin.umich.edu">wingc@engin.umich.edu</A></DIV> =
<BR =
class=3D"Apple-interchange-newline"></BLOCKQUOTE></DIV><BR></DIV></BODY></=
HTML>=
--Apple-Mail-35--489383514--