Tickets accepted upon login but still prompted for password
Rechenberg, Andrew
ARechenberg at shermanfinancialgroup.com
Fri Mar 15 13:38:55 EST 2002
I have the krb5-workstation-1.2.2-4, krb5-libs-1.2.2-4, and pam_krb5-1.31-1 RPMs installed from Red Hat. The /etc/pam.d/login and system-auth are all stock from Red Hat. I used authconfig to make system-auth match your's (by checking the Kerberos box in the ncurses interface in authconfig and providing my KDC information).
I personally use ssh to get to the box. The reason I also want telnet is because most of out client workstations are or will be Windows 2000 and we want to use ms2mit to copy the MS tickets to an MIT cache and a Kerberized telnet client to provide logins to the Linux box from client workstations.
Andy.
-----Original Message-----
From: Ken Grady [mailto:klg at lanl.gov]
Sent: Friday, March 15, 2002 1:32 PM
To: Rechenberg, Andrew
Subject: Re: Tickets accepted upon login but still prompted for password
and you have the /lib/security/pam_krb5.so library from RedHat installed?
or are there extra lines in /etc/pam.d for telnet? or rlogin?
We are mostly using ssh instead of telnet, so I don't have anything to check it out
with.
"Rechenberg, Andrew" wrote:
> I added those lines to my system-auth file and I still have the sames results :\
>
> -----Original Message-----
> From: Ken Grady [mailto:klg at lanl.gov]
> Sent: Friday, March 15, 2002 12:11 PM
> To: Rechenberg, Andrew
> Subject: Re: Tickets accepted upon login but still prompted for password
>
> You need to tell PAM that kerberos authentication is ok. we use a
> different PAM
> but here is our login and system_auth
>
> # more login
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> # more system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_krb5.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok
> md5 shado
> w
> password sufficient /lib/security/pam_krb5.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_krb5.so
>
> Andy Rechenberg wrote:
>
> > I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
> > for telnet access. The KDC is a Windows 2000 Server (SP2). I have
> > successfully setup a service principal for the Linux box in the 2000
> > domain and I have transferred the keytab to the Linux box and imported
> > it into /etc/krb5.keytab.
> >
> > A user can successfully obtain tickets from the KDC while logging in,
> > but when I try to test an automatic telnet login the user's tickets
> > are accepted but the user is still prompted for a password. I would
> > prefer the users not to be prompted once they obtain their Kerberos
> > tickets.
> >
> > Am I missing something so obvious it's stupid? :) I have krb5-telnet
> > activated in xinetd and have specified it to use login.krb5. I also
> > have the default PAM config files for RH7.1. I have tried using
> > authconfig to include Kerberos authentication, but that did not make a
> > difference. Below are relevant configuration files and sample outputs
> > from a telnet session.
> >
> > Any help would be greatly appreciated. Let me know if you need any
> > more information. Please CC: my email address with any responses.
> > Thank you in advance.
> >
> > Regards,
> > Andrew Rechenberg
> > Network Team, Sherman Financial Group
> > arechenberg(at)shermanfinancialgroup.com
> >
> > ***********************************************************
> > [root at rh71test ~]# telnet rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com.
> > Escape character is '^]'.
> >
> > rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
> > EDT 2001) (4)
> >
> > login: arechenberg
> > Password for arechenberg:
> > Last login: Fri Mar 15 10:38:46 from rh71test
> >
> > [arechenberg at rh71test ~]$ klist -fe
> > Ticket cache: FILE:/tmp/krb5cc_p31503
> > Default principal: arechenberg at SHERMFIN.COM
> >
> > Valid starting Expires Service principal
> > 03/15/02 10:49:24 03/15/02 20:49:24 krbtgt/SHERMFIN.COM at SHERMFIN.COM
> > Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> > 03/15/02 10:49:24 03/15/02 10:54:24
> > host/rh71test.shermfin.com at SHERMFIN.COM
> > Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> >
> > Kerberos 4 ticket cache: /tmp/tkt601
> > klist: You have no tickets cached
> > [arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com (10.1.1.55).
> > Escape character is '^]'.
> > [ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
> > Password for arechenberg:
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > Tickets accepted, but still prompted for password. :\
> >
> > [root at rh71test ~]# cat /etc/krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > ticket_lifetime = 24000
> > default_realm = SHERMFIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > default_tgs_enctypes = des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = des-cbc-crc des-cbc-md5
> > forwardable = true
> > proxiable = true
> >
> > [realms]
> > SHERMFIN.COM = {
> > kdc = mykdc.shermfin.com:88
> > default_domain = shermfin.com
> > }
> >
> > [domain_realm]
> > .shermfin.com = SHERMFIN.COM
> > shermfin.com = SHERMFIN.COM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [pam]
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> >
> > [root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
> > # default: off
> > # description: The kerberized telnet server accepts normal telnet
> > sessions, \
> > # but can also use Kerberos 5 authentication.
> > service telnet
> > {
> > flags = REUSE
> > socket_type = stream
> > wait = no
> > user = root
> > server = /usr/kerberos/sbin/telnetd
> > server_args = -a valid -L /bin/login.krb5
> > log_on_failure += USERID
> > disable = no
> > }
> >
> > [root at rh71test ~]# cat /etc/pam.d/login
> > #%PAM-1.0
> > auth required /lib/security/pam_securetty.so
> > auth required /lib/security/pam_stack.so service=system-auth
> > auth required /lib/security/pam_nologin.so
> > account required /lib/security/pam_stack.so service=system-auth
> > password required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_stack.so service=system-auth
> > session optional /lib/security/pam_console.so
> >
> > [root at rh71test ~]# cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/pam_env.so
> > auth sufficient /lib/security/pam_unix.so likeauth nullok
> > auth required /lib/security/pam_deny.so
> >
> > account required /lib/security/pam_unix.so
> >
> > password required /lib/security/pam_cracklib.so retry=3
> > password sufficient /lib/security/pam_unix.so nullok use_authtok
> > md5 shadow
> > password required /lib/security/pam_deny.so
> >
> > session required /lib/security/pam_limits.so
> > session required /lib/security/pam_unix.so
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list