Tickets accepted upon login but still prompted for password

Rechenberg, Andrew ARechenberg at shermanfinancialgroup.com
Fri Mar 15 14:34:49 EST 2002


OK,

If I change the telnetd options to include '-a user' or '-a valid' I don't get prompted for a password, but I receive an 'Authroization failed' error from telnetd:

[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_601
Default principal: arechenberg at SHERMFIN.COM

Valid starting     Expires            Service principal
03/15/02 14:18:46  03/16/02 00:18:46  krbtgt/SHERMFIN.COM at SHERMFIN.COM
        Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
03/15/02 14:18:58  03/16/02 00:18:46  host/rh71test.shermfin.com at SHERMFIN.COM
        Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
telnetd: Authorization failed.
^^^^^^^^^^^^^^^^^^^^^^^^^^

Any ideas?

Andy.

-----Original Message-----
From: Ken Grady [mailto:klg at lanl.gov]
Sent: Friday, March 15, 2002 1:32 PM
To: Rechenberg, Andrew
Subject: Re: Tickets accepted upon login but still prompted for password


and you have the /lib/security/pam_krb5.so library from RedHat installed?
or are there extra lines in /etc/pam.d for telnet? or rlogin?
We are mostly using ssh instead of telnet, so I don't have anything to check it out
with.


"Rechenberg, Andrew" wrote:

> I added those lines to my system-auth file and I still have the sames results :\
>
> -----Original Message-----
> From: Ken Grady [mailto:klg at lanl.gov]
> Sent: Friday, March 15, 2002 12:11 PM
> To: Rechenberg, Andrew
> Subject: Re: Tickets accepted upon login but still prompted for password
>
>     You need to tell PAM that kerberos authentication is ok.  we use a
> different PAM
> but here is our login and system_auth
>
> # more login
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
>
> # more system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_krb5.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shado
> w
> password    sufficient    /lib/security/pam_krb5.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_krb5.so
>
> Andy Rechenberg wrote:
>
> > I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
> > for telnet access.  The KDC is a Windows 2000 Server (SP2).  I have
> > successfully setup a service principal for the Linux box in the 2000
> > domain and I have transferred the keytab to the Linux box and imported
> > it into /etc/krb5.keytab.
> >
> > A user can successfully obtain tickets from the KDC while logging in,
> > but when I try to test an automatic telnet login the user's tickets
> > are accepted but the user is still prompted for a password.  I would
> > prefer the users not to be prompted once they obtain their Kerberos
> > tickets.
> >
> > Am I missing something so obvious it's stupid? :)  I have krb5-telnet
> > activated in xinetd and have specified it to use login.krb5.  I also
> > have the default PAM config files for RH7.1.  I have tried using
> > authconfig to include Kerberos authentication, but that did not make a
> > difference.  Below are relevant configuration files and sample outputs
> > from a telnet session.
> >
> > Any help would be greatly appreciated.  Let me know if you need any
> > more information.  Please CC: my email address with any responses.
> > Thank you in advance.
> >
> > Regards,
> > Andrew Rechenberg
> > Network Team, Sherman Financial Group
> > arechenberg(at)shermanfinancialgroup.com
> >
> > ***********************************************************
> > [root at rh71test ~]# telnet rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com.
> > Escape character is '^]'.
> >
> >     rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
> > EDT 2001) (4)
> >
> > login: arechenberg
> > Password for arechenberg:
> > Last login: Fri Mar 15 10:38:46 from rh71test
> >
> > [arechenberg at rh71test ~]$ klist -fe
> > Ticket cache: FILE:/tmp/krb5cc_p31503
> > Default principal: arechenberg at SHERMFIN.COM
> >
> > Valid starting     Expires            Service principal
> > 03/15/02 10:49:24  03/15/02 20:49:24  krbtgt/SHERMFIN.COM at SHERMFIN.COM
> >         Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> > 03/15/02 10:49:24  03/15/02 10:54:24
> > host/rh71test.shermfin.com at SHERMFIN.COM
> >         Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> >
> > Kerberos 4 ticket cache: /tmp/tkt601
> > klist: You have no tickets cached
> > [arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com (10.1.1.55).
> > Escape character is '^]'.
> > [ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
> > Password for arechenberg:
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > Tickets accepted, but still prompted for password. :\
> >
> > [root at rh71test ~]# cat /etc/krb5.conf
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >  ticket_lifetime = 24000
> >  default_realm = SHERMFIN.COM
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >  default_tgs_enctypes = des-cbc-crc des-cbc-md5
> >  default_tkt_enctypes = des-cbc-crc des-cbc-md5
> >  forwardable = true
> >  proxiable = true
> >
> > [realms]
> >  SHERMFIN.COM = {
> >   kdc = mykdc.shermfin.com:88
> >   default_domain = shermfin.com
> >  }
> >
> > [domain_realm]
> >  .shermfin.com = SHERMFIN.COM
> >  shermfin.com = SHERMFIN.COM
> >
> > [kdc]
> >  profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [pam]
> >  debug = false
> >  ticket_lifetime = 36000
> >  renew_lifetime = 36000
> >  forwardable = true
> >  krb4_convert = false
> >
> > [root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
> > # default: off
> > # description: The kerberized telnet server accepts normal telnet
> > sessions, \
> > #              but can also use Kerberos 5 authentication.
> > service telnet
> > {
> >         flags           = REUSE
> >         socket_type     = stream
> >         wait            = no
> >         user            = root
> >         server          = /usr/kerberos/sbin/telnetd
> >         server_args     = -a valid -L /bin/login.krb5
> >         log_on_failure  += USERID
> >         disable         = no
> > }
> >
> > [root at rh71test ~]# cat /etc/pam.d/login
> > #%PAM-1.0
> > auth       required     /lib/security/pam_securetty.so
> > auth       required     /lib/security/pam_stack.so service=system-auth
> > auth       required     /lib/security/pam_nologin.so
> > account    required     /lib/security/pam_stack.so service=system-auth
> > password   required     /lib/security/pam_stack.so service=system-auth
> > session    required     /lib/security/pam_stack.so service=system-auth
> > session    optional     /lib/security/pam_console.so
> >
> > [root at rh71test ~]# cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      /lib/security/pam_env.so
> > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> > auth        required      /lib/security/pam_deny.so
> >
> > account     required      /lib/security/pam_unix.so
> >
> > password    required      /lib/security/pam_cracklib.so retry=3
> > password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> > md5 shadow
> > password    required      /lib/security/pam_deny.so
> >
> > session     required      /lib/security/pam_limits.so
> > session     required      /lib/security/pam_unix.so
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list