[OpenAFS] trouble with pam_krb5

Christopher Allen Wing wingc@engin.umich.edu
Mon, 18 Jul 2005 14:09:03 -0400 (EDT)


Sorry, I was wrong about the PID being different pointing to a problem. I 
had misread our log files here, thinking that on our systems, the pid 
didn't change between auth and session phase.

Actually, it looks like the problem is 'keyboard-interactive' 
authentication in sshd. This seems to break the krb5 PAM module.

I'm guessing that you changed the default configuration in 
/etc/ssh/sshd_config from

 	ChallengeResponseAuthentication	no


 	ChallengeResponseAuthentication	yes

or something like that? (or maybe you just removed the line altogether; 
challengeresponse is enabled by default if nothing is there)

With the default /etc/ssh/sshd_config from openssh-server-3.9p1-8.RHEL4.4, 
everything works; if I change it so that ChallengeResponseAuthentication 
is enabled, then pam_krb5 fails for me in the exact same way it fails for 

Ensure that you have:

 	ChallengeResponseAuthentication no

in /etc/ssh/sshd_config and see if that fixes your problem?


On Mon, 18 Jul 2005, Kurt Seiffert wrote:

> We are running the package 'openssh-server-3.9p1-8.RHEL4.4'.  My man pages 
> for sshd_config indicates that UsePAM is off by default. I turned off the 
> pubkey, because I had been using a pub/priv key, but that seemed to cause ssh 
> to skip completely the kerberos authentication.
> I'm using this on i386. Thanks for the observation about the difference 
> between the auth and session messages. Not sure where to go with that, but it 
> is interesting.
> The basic problem still seems to be that the kerberos tickets are not getting 
> written to the cache so that subsequent processes have access to them.