Tickets accepted upon login but still prompted for password

Rechenberg, Andrew ARechenberg at shermanfinancialgroup.com
Fri Mar 15 13:04:12 EST 2002 

I added those lines to my system-auth file and I still have the sames results :\

-----Original Message-----
From: Ken Grady [mailto:klg at lanl.gov]
Sent: Friday, March 15, 2002 12:11 PM
To: Rechenberg, Andrew
Subject: Re: Tickets accepted upon login but still prompted for password


    You need to tell PAM that kerberos authentication is ok.  we use a
different PAM
but here is our login and system_auth

# more login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

# more system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password    sufficient    /lib/security/pam_krb5.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5.so

Andy Rechenberg wrote:

> I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
> for telnet access.  The KDC is a Windows 2000 Server (SP2).  I have
> successfully setup a service principal for the Linux box in the 2000
> domain and I have transferred the keytab to the Linux box and imported
> it into /etc/krb5.keytab.
>
> A user can successfully obtain tickets from the KDC while logging in,
> but when I try to test an automatic telnet login the user's tickets
> are accepted but the user is still prompted for a password.  I would
> prefer the users not to be prompted once they obtain their Kerberos
> tickets.
>
> Am I missing something so obvious it's stupid? :)  I have krb5-telnet
> activated in xinetd and have specified it to use login.krb5.  I also
> have the default PAM config files for RH7.1.  I have tried using
> authconfig to include Kerberos authentication, but that did not make a
> difference.  Below are relevant configuration files and sample outputs
> from a telnet session.
>
> Any help would be greatly appreciated.  Let me know if you need any
> more information.  Please CC: my email address with any responses.
> Thank you in advance.
>
> Regards,
> Andrew Rechenberg
> Network Team, Sherman Financial Group
> arechenberg(at)shermanfinancialgroup.com
>
> ***********************************************************
> [root at rh71test ~]# telnet rh71test.shermfin.com
> Trying 10.1.1.55...
> Connected to rh71test.shermfin.com.
> Escape character is '^]'.
>
>     rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
> EDT 2001) (4)
>
> login: arechenberg
> Password for arechenberg:
> Last login: Fri Mar 15 10:38:46 from rh71test
>
> [arechenberg at rh71test ~]$ klist -fe
> Ticket cache: FILE:/tmp/krb5cc_p31503
> Default principal: arechenberg at SHERMFIN.COM
>
> Valid starting     Expires            Service principal
> 03/15/02 10:49:24  03/15/02 20:49:24  krbtgt/SHERMFIN.COM at SHERMFIN.COM
>         Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 03/15/02 10:49:24  03/15/02 10:54:24
> host/rh71test.shermfin.com at SHERMFIN.COM
>         Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
>
> Kerberos 4 ticket cache: /tmp/tkt601
> klist: You have no tickets cached
> [arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
> Trying 10.1.1.55...
> Connected to rh71test.shermfin.com (10.1.1.55).
> Escape character is '^]'.
> [ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
> Password for arechenberg:
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> Tickets accepted, but still prompted for password. :\
>
> [root at rh71test ~]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = SHERMFIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5
>  default_tkt_enctypes = des-cbc-crc des-cbc-md5
>  forwardable = true
>  proxiable = true
>
> [realms]
>  SHERMFIN.COM = {
>   kdc = mykdc.shermfin.com:88
>   default_domain = shermfin.com
>  }
>
> [domain_realm]
>  .shermfin.com = SHERMFIN.COM
>  shermfin.com = SHERMFIN.COM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [pam]
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000
>  forwardable = true
>  krb4_convert = false
>
> [root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
> # default: off
> # description: The kerberized telnet server accepts normal telnet
> sessions, \
> #              but can also use Kerberos 5 authentication.
> service telnet
> {
>         flags           = REUSE
>         socket_type     = stream
>         wait            = no
>         user            = root
>         server          = /usr/kerberos/sbin/telnetd
>         server_args     = -a valid -L /bin/login.krb5
>         log_on_failure  += USERID
>         disable         = no
> }
>
> [root at rh71test ~]# cat /etc/pam.d/login
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
>
> [root at rh71test ~]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shadow
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list