[OpenAFS] Updates to pam_krb5 not allowing ssh as root

Russ Allbery rra@stanford.edu
Thu, 03 Sep 2009 13:22:45 -0700


Karen Eldredge <karen.eldredge@infoprint.com> writes:

> We recently just updated the pam-krb5 supplied by Russ Allbery from 3.10
> to 3.15 and since the update we are not able to ssh as root.  Has anyone
> seen this behavior before?  Here are the contents of /var/log/messages.
> It should be ignoring root, but from this log it seems to be failing at
> pam_sm_authenticate & pam_setcred .  Any help would be appreciated.

> Sep  1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: ignoring root user
> Sep  1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: pam_sm_setcred: exit
> (ignore)
> Sep  1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred()
> called
> Sep  1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): username=[root]
> Sep  1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred:
> PAM_SUCCESS
> Sep  1 09:53:55 sprftp sshd[29205]: fatal: PAM: pam_setcred(): The return value should be ignored by PAM dispatch

Sorry I hadn't gotten a chance to reply to your message on this.  I
believe you're running into this problem documented in the README:

  If you use a more complex configuration with the Linux PAM [] syntax for
  the session and account groups, note that pam_krb5 returns a status of
  ignore, not success, if the user didn't log on with Kerberos.  You may
  need to handle that explicitly with ignore=ignore in your action list.

except with setcred instead of with the session or account groups.  I'd
have to see your PAM configuration to be sure, though.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>