Tickets accepted upon login but still prompted for password
Rechenberg, Andrew
ARechenberg at shermanfinancialgroup.com
Fri Mar 15 13:04:12 EST 2002
I added those lines to my system-auth file and I still have the sames results :\
-----Original Message-----
From: Ken Grady [mailto:klg at lanl.gov]
Sent: Friday, March 15, 2002 12:11 PM
To: Rechenberg, Andrew
Subject: Re: Tickets accepted upon login but still prompted for password
You need to tell PAM that kerberos authentication is ok. we use a
different PAM
but here is our login and system_auth
# more login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
# more system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
Andy Rechenberg wrote:
> I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
> for telnet access. The KDC is a Windows 2000 Server (SP2). I have
> successfully setup a service principal for the Linux box in the 2000
> domain and I have transferred the keytab to the Linux box and imported
> it into /etc/krb5.keytab.
>
> A user can successfully obtain tickets from the KDC while logging in,
> but when I try to test an automatic telnet login the user's tickets
> are accepted but the user is still prompted for a password. I would
> prefer the users not to be prompted once they obtain their Kerberos
> tickets.
>
> Am I missing something so obvious it's stupid? :) I have krb5-telnet
> activated in xinetd and have specified it to use login.krb5. I also
> have the default PAM config files for RH7.1. I have tried using
> authconfig to include Kerberos authentication, but that did not make a
> difference. Below are relevant configuration files and sample outputs
> from a telnet session.
>
> Any help would be greatly appreciated. Let me know if you need any
> more information. Please CC: my email address with any responses.
> Thank you in advance.
>
> Regards,
> Andrew Rechenberg
> Network Team, Sherman Financial Group
> arechenberg(at)shermanfinancialgroup.com
>
> ***********************************************************
> [root at rh71test ~]# telnet rh71test.shermfin.com
> Trying 10.1.1.55...
> Connected to rh71test.shermfin.com.
> Escape character is '^]'.
>
> rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
> EDT 2001) (4)
>
> login: arechenberg
> Password for arechenberg:
> Last login: Fri Mar 15 10:38:46 from rh71test
>
> [arechenberg at rh71test ~]$ klist -fe
> Ticket cache: FILE:/tmp/krb5cc_p31503
> Default principal: arechenberg at SHERMFIN.COM
>
> Valid starting Expires Service principal
> 03/15/02 10:49:24 03/15/02 20:49:24 krbtgt/SHERMFIN.COM at SHERMFIN.COM
> Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 03/15/02 10:49:24 03/15/02 10:54:24
> host/rh71test.shermfin.com at SHERMFIN.COM
> Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
>
> Kerberos 4 ticket cache: /tmp/tkt601
> klist: You have no tickets cached
> [arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
> Trying 10.1.1.55...
> Connected to rh71test.shermfin.com (10.1.1.55).
> Escape character is '^]'.
> [ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
> Password for arechenberg:
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> Tickets accepted, but still prompted for password. :\
>
> [root at rh71test ~]# cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = SHERMFIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_tgs_enctypes = des-cbc-crc des-cbc-md5
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> forwardable = true
> proxiable = true
>
> [realms]
> SHERMFIN.COM = {
> kdc = mykdc.shermfin.com:88
> default_domain = shermfin.com
> }
>
> [domain_realm]
> .shermfin.com = SHERMFIN.COM
> shermfin.com = SHERMFIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>
> [root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
> # default: off
> # description: The kerberized telnet server accepts normal telnet
> sessions, \
> # but can also use Kerberos 5 authentication.
> service telnet
> {
> flags = REUSE
> socket_type = stream
> wait = no
> user = root
> server = /usr/kerberos/sbin/telnetd
> server_args = -a valid -L /bin/login.krb5
> log_on_failure += USERID
> disable = no
> }
>
> [root at rh71test ~]# cat /etc/pam.d/login
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> [root at rh71test ~]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok
> md5 shadow
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list