[OpenAFS] trouble with pam_krb5
Christopher Allen Wing
wingc@engin.umich.edu
Mon, 18 Jul 2005 14:09:03 -0400 (EDT)
Kurt:
Sorry, I was wrong about the PID being different pointing to a problem. I
had misread our log files here, thinking that on our systems, the pid
didn't change between auth and session phase.
Actually, it looks like the problem is 'keyboard-interactive'
authentication in sshd. This seems to break the krb5 PAM module.
I'm guessing that you changed the default configuration in
/etc/ssh/sshd_config from
ChallengeResponseAuthentication no
to
ChallengeResponseAuthentication yes
or something like that? (or maybe you just removed the line altogether;
challengeresponse is enabled by default if nothing is there)
With the default /etc/ssh/sshd_config from openssh-server-3.9p1-8.RHEL4.4,
everything works; if I change it so that ChallengeResponseAuthentication
is enabled, then pam_krb5 fails for me in the exact same way it fails for
you.
Ensure that you have:
ChallengeResponseAuthentication no
in /etc/ssh/sshd_config and see if that fixes your problem?
-Chris
wingc@engin.umich.edu
On Mon, 18 Jul 2005, Kurt Seiffert wrote:
> We are running the package 'openssh-server-3.9p1-8.RHEL4.4'. My man pages
> for sshd_config indicates that UsePAM is off by default. I turned off the
> pubkey, because I had been using a pub/priv key, but that seemed to cause ssh
> to skip completely the kerberos authentication.
>
> I'm using this on i386. Thanks for the observation about the difference
> between the auth and session messages. Not sure where to go with that, but it
> is interesting.
>
> The basic problem still seems to be that the kerberos tickets are not getting
> written to the cache so that subsequent processes have access to them.