[OpenAFS] trouble with pam_krb5
Christopher Allen Wing
Mon, 18 Jul 2005 14:09:03 -0400 (EDT)
Sorry, I was wrong about the PID being different pointing to a problem. I
had misread our log files here, thinking that on our systems, the pid
didn't change between auth and session phase.
Actually, it looks like the problem is 'keyboard-interactive'
authentication in sshd. This seems to break the krb5 PAM module.
I'm guessing that you changed the default configuration in
or something like that? (or maybe you just removed the line altogether;
challengeresponse is enabled by default if nothing is there)
With the default /etc/ssh/sshd_config from openssh-server-3.9p1-8.RHEL4.4,
everything works; if I change it so that ChallengeResponseAuthentication
is enabled, then pam_krb5 fails for me in the exact same way it fails for
Ensure that you have:
in /etc/ssh/sshd_config and see if that fixes your problem?
On Mon, 18 Jul 2005, Kurt Seiffert wrote:
> We are running the package 'openssh-server-3.9p1-8.RHEL4.4'. My man pages
> for sshd_config indicates that UsePAM is off by default. I turned off the
> pubkey, because I had been using a pub/priv key, but that seemed to cause ssh
> to skip completely the kerberos authentication.
> I'm using this on i386. Thanks for the observation about the difference
> between the auth and session messages. Not sure where to go with that, but it
> is interesting.
> The basic problem still seems to be that the kerberos tickets are not getting
> written to the cache so that subsequent processes have access to them.