Tickets accepted upon login but still prompted for password
Rechenberg, Andrew
ARechenberg at shermanfinancialgroup.com
Fri Mar 15 14:34:49 EST 2002
OK,
If I change the telnetd options to include '-a user' or '-a valid' I don't get prompted for a password, but I receive an 'Authroization failed' error from telnetd:
[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_601
Default principal: arechenberg at SHERMFIN.COM
Valid starting Expires Service principal
03/15/02 14:18:46 03/16/02 00:18:46 krbtgt/SHERMFIN.COM at SHERMFIN.COM
Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
03/15/02 14:18:58 03/16/02 00:18:46 host/rh71test.shermfin.com at SHERMFIN.COM
Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
telnetd: Authorization failed.
^^^^^^^^^^^^^^^^^^^^^^^^^^
Any ideas?
Andy.
-----Original Message-----
From: Ken Grady [mailto:klg at lanl.gov]
Sent: Friday, March 15, 2002 1:32 PM
To: Rechenberg, Andrew
Subject: Re: Tickets accepted upon login but still prompted for password
and you have the /lib/security/pam_krb5.so library from RedHat installed?
or are there extra lines in /etc/pam.d for telnet? or rlogin?
We are mostly using ssh instead of telnet, so I don't have anything to check it out
with.
"Rechenberg, Andrew" wrote:
> I added those lines to my system-auth file and I still have the sames results :\
>
> -----Original Message-----
> From: Ken Grady [mailto:klg at lanl.gov]
> Sent: Friday, March 15, 2002 12:11 PM
> To: Rechenberg, Andrew
> Subject: Re: Tickets accepted upon login but still prompted for password
>
> You need to tell PAM that kerberos authentication is ok. we use a
> different PAM
> but here is our login and system_auth
>
> # more login
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> # more system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_krb5.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok
> md5 shado
> w
> password sufficient /lib/security/pam_krb5.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_krb5.so
>
> Andy Rechenberg wrote:
>
> > I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
> > for telnet access. The KDC is a Windows 2000 Server (SP2). I have
> > successfully setup a service principal for the Linux box in the 2000
> > domain and I have transferred the keytab to the Linux box and imported
> > it into /etc/krb5.keytab.
> >
> > A user can successfully obtain tickets from the KDC while logging in,
> > but when I try to test an automatic telnet login the user's tickets
> > are accepted but the user is still prompted for a password. I would
> > prefer the users not to be prompted once they obtain their Kerberos
> > tickets.
> >
> > Am I missing something so obvious it's stupid? :) I have krb5-telnet
> > activated in xinetd and have specified it to use login.krb5. I also
> > have the default PAM config files for RH7.1. I have tried using
> > authconfig to include Kerberos authentication, but that did not make a
> > difference. Below are relevant configuration files and sample outputs
> > from a telnet session.
> >
> > Any help would be greatly appreciated. Let me know if you need any
> > more information. Please CC: my email address with any responses.
> > Thank you in advance.
> >
> > Regards,
> > Andrew Rechenberg
> > Network Team, Sherman Financial Group
> > arechenberg(at)shermanfinancialgroup.com
> >
> > ***********************************************************
> > [root at rh71test ~]# telnet rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com.
> > Escape character is '^]'.
> >
> > rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
> > EDT 2001) (4)
> >
> > login: arechenberg
> > Password for arechenberg:
> > Last login: Fri Mar 15 10:38:46 from rh71test
> >
> > [arechenberg at rh71test ~]$ klist -fe
> > Ticket cache: FILE:/tmp/krb5cc_p31503
> > Default principal: arechenberg at SHERMFIN.COM
> >
> > Valid starting Expires Service principal
> > 03/15/02 10:49:24 03/15/02 20:49:24 krbtgt/SHERMFIN.COM at SHERMFIN.COM
> > Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> > 03/15/02 10:49:24 03/15/02 10:54:24
> > host/rh71test.shermfin.com at SHERMFIN.COM
> > Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> > cbc mode with CRC-32
> >
> > Kerberos 4 ticket cache: /tmp/tkt601
> > klist: You have no tickets cached
> > [arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
> > Trying 10.1.1.55...
> > Connected to rh71test.shermfin.com (10.1.1.55).
> > Escape character is '^]'.
> > [ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
> > Password for arechenberg:
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > Tickets accepted, but still prompted for password. :\
> >
> > [root at rh71test ~]# cat /etc/krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > ticket_lifetime = 24000
> > default_realm = SHERMFIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > default_tgs_enctypes = des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = des-cbc-crc des-cbc-md5
> > forwardable = true
> > proxiable = true
> >
> > [realms]
> > SHERMFIN.COM = {
> > kdc = mykdc.shermfin.com:88
> > default_domain = shermfin.com
> > }
> >
> > [domain_realm]
> > .shermfin.com = SHERMFIN.COM
> > shermfin.com = SHERMFIN.COM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [pam]
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> >
> > [root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
> > # default: off
> > # description: The kerberized telnet server accepts normal telnet
> > sessions, \
> > # but can also use Kerberos 5 authentication.
> > service telnet
> > {
> > flags = REUSE
> > socket_type = stream
> > wait = no
> > user = root
> > server = /usr/kerberos/sbin/telnetd
> > server_args = -a valid -L /bin/login.krb5
> > log_on_failure += USERID
> > disable = no
> > }
> >
> > [root at rh71test ~]# cat /etc/pam.d/login
> > #%PAM-1.0
> > auth required /lib/security/pam_securetty.so
> > auth required /lib/security/pam_stack.so service=system-auth
> > auth required /lib/security/pam_nologin.so
> > account required /lib/security/pam_stack.so service=system-auth
> > password required /lib/security/pam_stack.so service=system-auth
> > session required /lib/security/pam_stack.so service=system-auth
> > session optional /lib/security/pam_console.so
> >
> > [root at rh71test ~]# cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/pam_env.so
> > auth sufficient /lib/security/pam_unix.so likeauth nullok
> > auth required /lib/security/pam_deny.so
> >
> > account required /lib/security/pam_unix.so
> >
> > password required /lib/security/pam_cracklib.so retry=3
> > password sufficient /lib/security/pam_unix.so nullok use_authtok
> > md5 shadow
> > password required /lib/security/pam_deny.so
> >
> > session required /lib/security/pam_limits.so
> > session required /lib/security/pam_unix.so
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list