Tickets accepted upon login but still prompted for password
Rechenberg, Andrew
ARechenberg at shermanfinancialgroup.com
Fri Mar 15 11:10:22 EST 2002
I posted this message to the newsgroup. I took the plunge and subscribed to the mailing list so I am forwarding my question to list. I apologize for the duplication if this message has been read already.
Thanks again for any help.
Andy.
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg at shermanfinancialgroup.com
-----Original Message-----
I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
for telnet access. The KDC is a Windows 2000 Server (SP2). I have
successfully setup a service principal for the Linux box in the 2000
domain and I have transferred the keytab to the Linux box and imported
it into /etc/krb5.keytab.
A user can successfully obtain tickets from the KDC while logging in,
but when I try to test an automatic telnet login the user's tickets
are accepted but the user is still prompted for a password. I would
prefer the users not to be prompted once they obtain their Kerberos
tickets.
Am I missing something so obvious it's stupid? :) I have krb5-telnet
activated in xinetd and have specified it to use login.krb5. I also
have the default PAM config files for RH7.1. I have tried using
authconfig to include Kerberos authentication, but that did not make a
difference. Below are relevant configuration files and sample outputs
from a telnet session.
Any help would be greatly appreciated. Let me know if you need any
more information. Please CC: my email address with any responses.
Thank you in advance.
Regards,
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg(at)shermanfinancialgroup.com
***********************************************************
[root at rh71test ~]# telnet rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com.
Escape character is '^]'.
rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
EDT 2001) (4)
login: arechenberg
Password for arechenberg:
Last login: Fri Mar 15 10:38:46 from rh71test
[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_p31503
Default principal: arechenberg at SHERMFIN.COM
Valid starting Expires Service principal
03/15/02 10:49:24 03/15/02 20:49:24 krbtgt/SHERMFIN.COM at SHERMFIN.COM
Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
03/15/02 10:49:24 03/15/02 10:54:24
host/rh71test.shermfin.com at SHERMFIN.COM
Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
Password for arechenberg:
^^^^^^^^^^^^^^^^^^^^^^^^^
Tickets accepted, but still prompted for password. :\
[root at rh71test ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = SHERMFIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
[realms]
SHERMFIN.COM = {
kdc = mykdc.shermfin.com:88
default_domain = shermfin.com
}
[domain_realm]
.shermfin.com = SHERMFIN.COM
shermfin.com = SHERMFIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet
sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
server_args = -a valid -L /bin/login.krb5
log_on_failure += USERID
disable = no
}
[root at rh71test ~]# cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
[root at rh71test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
More information about the Kerberos
mailing list