[OpenAFS] trouble with pam_krb5
Christopher Allen Wing
Mon, 18 Jul 2005 16:11:16 -0400 (EDT)
Ha. My theory about 'improper UID' was incorrect, but I did find the
When 'keyboard-interactive' mode is in use, OpenSSH forks off a separate
process to do PAM authentication. This process then dies, and thus the
credentials cache (which is stored in memory) goes away.
When 'keyboard-interactive' mode is disabled (and 'password' mode is used
instead), the PAM authentication is done in the same process, so the
credentials cache isn't destroyed.
There are some #ifdefs in the openssh source which control whether
pthreads are used to call PAM, or a separate process. When pthreads are
used, a new thread is created, PAM calls are made in this thread, and then
the thread terminates. However, the credentials then stick around properly
(since the thread shares memory with the rest of sshd)
I was able to get OpenSSH to work properly with
'ChallengeResponseAuthentication yes' when I rebuilt the OpenSSH RPM from
to the RPM .spec file as appropriate.
However, pthreads appear to be disabled by default in OpenSSH (there is
no --configure option to enable them). So it would be wise to find out why
they decided not to expose this functionality; it's possible that it might
be broken in some other way.
Anyway, I think the short summary is:
'keyboard-interactive' authentication in OpenSSH breaks the
semantics of PAM, and thus the pam_krb5 module cannot work properly when
"ChallengeResponseAuthentication" is enabled.
Red Hat's supported version of OpenSSH disables
ChallengeResponseAuthentication, possibly for this reason.
It's possible to get it to work, if you rebuild sshd with pthreads
support, but this may not be supported or well tested by OpenSSH, and
certainly unsupported by Red Hat.
The best workaround for the moment seems to be ensuring that
ChallengeResponseAuthentication is disabled.
On Mon, 18 Jul 2005, Russ Allbery wrote:
> This breaks password expiration, or any other PAM dialogs that require
> anything more complex than a simple password prompt.