[OpenAFS] Updates to pam_krb5 not allowing ssh as root
Russ Allbery
rra@stanford.edu
Thu, 03 Sep 2009 13:22:45 -0700
Karen Eldredge <karen.eldredge@infoprint.com> writes:
> We recently just updated the pam-krb5 supplied by Russ Allbery from 3.10
> to 3.15 and since the update we are not able to ssh as root. Has anyone
> seen this behavior before? Here are the contents of /var/log/messages.
> It should be ignoring root, but from this log it seems to be failing at
> pam_sm_authenticate & pam_setcred . Any help would be appreciated.
> Sep 1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: ignoring root user
> Sep 1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: pam_sm_setcred: exit
> (ignore)
> Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred()
> called
> Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): username=[root]
> Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred:
> PAM_SUCCESS
> Sep 1 09:53:55 sprftp sshd[29205]: fatal: PAM: pam_setcred(): The return value should be ignored by PAM dispatch
Sorry I hadn't gotten a chance to reply to your message on this. I
believe you're running into this problem documented in the README:
If you use a more complex configuration with the Linux PAM [] syntax for
the session and account groups, note that pam_krb5 returns a status of
ignore, not success, if the user didn't log on with Kerberos. You may
need to handle that explicitly with ignore=ignore in your action list.
except with setcred instead of with the session or account groups. I'd
have to see your PAM configuration to be sure, though.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>