[OpenAFS] pam_krb5afs and 1.4.0rc5 problems..
lamont@scriptkiddie.org
lamont@scriptkiddie.org
Tue, 25 Oct 2005 09:57:04 -0700 (PDT)
Try:
auth sufficient /lib/security/$ISA/pam_krb5afs.so debug use_shmem=sshd
session sufficient /lib/security/$ISA/pam_krb5afs.so debug external use_shmem=sshd
The "use_shmem" option will probably fix what you're seeing below where
authentication succeeds, but then session sees 'no v5 creds' because it is
running in a different process. The "external" option line is useful so
that session will pick up that KRB5CCNAME points to cached creds from the
GSSAPI TGT forwarding in sshd.
I'm using a CVS checkout of the pam sources which is roughly
pam_krb5-2.2.0-0.5. There's a pointer somewhere in the list archives to
where you can check them out from CVS...
On Tue, 25 Oct 2005, Kurt Seiffert wrote:
> We actually have had this problem for awhile.
>
> We have been trying to get the standard RHEL3 and RHEL4 pam_krb5afs modules
> that come with the RHEL. These are rpm's :
> pam_krb5-1.77-1 for RHEL3
> pam_krb5-2.1.8-1 for RHEL4
>
> They fail to get tokens at log in.
>
> I configured the debug option on the pam module and here is the output dumped
> to syslog.
>
> Can anyone point me at what might be the problem?
>
> Here is the syslog output from the RHEL4 setup:
>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: could not obtain initial
>> v4 creds: 7 (Argument list too long)
>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: error obtaining v4 creds:
>> 57 (Invalid slot)
>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: authentication succeeds
>> for 'seiffert' (seiffert@IU.EDU)
>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: pam_authenticate
>> returning 0 (Success)
>> Oct 25 10:32:38 rfs3 sshd[4463]: Accepted keyboard-interactive/pam for
>> seiffert from ::ffff:156.56.13.2 port 51720 ssh2
>> Oct 25 10:32:38 rfs3 sshd(pam_unix)[4467]: session opened for user
>> seiffert by (uid=0)
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: configured realm 'IU.EDU'
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flags: forwardable
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: no ignore_afs
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: user_check
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: no krb4_convert
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: warn
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: ticket lifetime: 36000
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: renewable lifetime: 36000
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: banner: Kerberos 5
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: ccache dir: /tmp
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: keytab: /etc/krb5.keytab
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: no v5 creds for user
>> 'seiffert', skipping session setup
>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: pam_open_session
>> returning 0 (Success)
>> Oct 25 10:32:38 rfs3 pam_loginuid[4467]: set_loginuid failed opening
>> loginuid
>
> Here is the system-auth file:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required /lib/security/$ISA/pam_env.so
>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth sufficient /lib/security/$ISA/pam_krb5afs.so use_first_pass
>> tokens
>> auth required /lib/security/$ISA/pam_deny.so
>>
>> account required /lib/security/$ISA/pam_unix.so broken_shadow
>> account sufficient /lib/security/$ISA/pam_localuser.so
>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
>> quiet
>> account [default=bad success=ok user_unknown=ignore] /lib/
>> security/$ISA/pam_krb5afs.so
>> account required /lib/security/$ISA/pam_permit.so
>>
>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password sufficient /lib/security/$ISA/pam_krb5afs.so use_authtok
>> password required /lib/security/$ISA/pam_deny.so
>>
>> session required /lib/security/$ISA/pam_limits.so
>> session required /lib/security/$ISA/pam_unix.so
>> session optional /lib/security/$ISA/pam_krb5afs.so
>
>
> Here is the sshd_config file:
>> # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
>>
>> # This is the sshd server system-wide configuration file. See
>> # sshd_config(5) for more information.
>>
>> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>>
>> # The strategy used for options in the default sshd_config shipped with
>> # OpenSSH is to specify options with their default value where
>> # possible, but leave them commented. Uncommented options change a
>> # default value.
>>
>> #Port 22
>> #Protocol 2,1
>> #ListenAddress 0.0.0.0
>> #ListenAddress ::
>>
>> # HostKey for protocol version 1
>> #HostKey /etc/ssh/ssh_host_key
>> # HostKeys for protocol version 2
>> #HostKey /etc/ssh/ssh_host_rsa_key
>> #HostKey /etc/ssh/ssh_host_dsa_key
>>
>> # Lifetime and size of ephemeral version 1 server key
>> #KeyRegenerationInterval 1h
>> #ServerKeyBits 768
>>
>> # Logging
>> #obsoletes QuietMode and FascistLogging
>> #SyslogFacility AUTH
>> SyslogFacility AUTHPRIV
>> #LogLevel INFO
>>
>> # Authentication:
>>
>> #LoginGraceTime 2m
>> #PermitRootLogin yes
>> #StrictModes yes
>> #MaxAuthTries 6
>>
>> #RSAAuthentication yes
>> #PubkeyAuthentication yes
>> #AuthorizedKeysFile .ssh/authorized_keys
>>
>> # For this to work you will also need host keys in /etc/ssh/
>> ssh_known_hosts
>> #RhostsRSAAuthentication no
>> # similar for protocol version 2
>> #HostbasedAuthentication no
>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>> # RhostsRSAAuthentication and HostbasedAuthentication
>> #IgnoreUserKnownHosts no
>> # Don't read the user's ~/.rhosts and ~/.shosts files
>> #IgnoreRhosts yes
>>
>> # To disable tunneled clear text passwords, change to no here!
>> #PasswordAuthentication yes
>> #PermitEmptyPasswords no
>>
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
>>
>> # Kerberos options
>> #KerberosAuthentication no
>> #KerberosAuthentication yes
>> #KerberosOrLocalPasswd yes
>> #KerberosTicketCleanup yes
>> #KerberosGetAFSToken no
>>
>> # GSSAPI options
>> #GSSAPIAuthentication no
>> #GSSAPIAuthentication yes
>> #GSSAPICleanupCredentials yes
>> #GSSAPICleanupCredentials yes
>>
>> # Set this to 'yes' to enable PAM authentication, account processing,
>> # and session processing. If this is enabled, PAM authentication will
>> # be allowed through the ChallengeResponseAuthentication mechanism.
>> # Depending on your PAM configuration, this may bypass the setting of
>> # PasswordAuthentication, PermitEmptyPasswords, and
>> # "PermitRootLogin without-password". If you just want the PAM account and
>> # session checks to run without PAM authentication, then enable this but
>> set
>> # ChallengeResponseAuthentication=no
>> #UsePAM no
>> UsePAM yes
>>
>> #AllowTcpForwarding yes
>> #GatewayPorts no
>> #X11Forwarding no
>> X11Forwarding yes
>> #X11DisplayOffset 10
>> #X11UseLocalhost yes
>> #PrintMotd yes
>> #PrintLastLog yes
>> #TCPKeepAlive yes
>> #UseLogin no
>> #UsePrivilegeSeparation yes
>> #PermitUserEnvironment no
>> #Compression yes
>> #ClientAliveInterval 0
>> ClientAliveInterval 600
>> #ClientAliveCountMax 3
>> #UseDNS yes
>> #PidFile /var/run/sshd.pid
>> #MaxStartups 10
>> #ShowPatchLevel no
>>
>> # no default banner path
>> #Banner /some/path
>>
>> # allow only members of the wheel group to login on AFS fileservers
>> AllowGroups wheel
>>
>> # override default of no subsystems
>> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> Let me know if there is any other information that is needed to help debug
> this problem.
>
> We really want to be able to sftp to the AFS filesystem and have the krb
> credentials automatically generated.
>
> Thanks.
>
> -KAS
>
> Kurt A. Seiffert | seiffert@indiana.edu
> UITS Distributed Storage Services Group | C: 812-345-1892
> Indiana University, Bloomington | W: 1 812-855-5089
>
>