Tickets accepted upon login but still prompted for password
Suresh Narayan Srinivasan
sureshnarayan.s at sonata-software.com
Mon Mar 18 00:02:58 EST 2002
hi
you are missing a .k5login profile on your linux box, in the home directory
for the user you want to log in as.
you may try creating a .k5login file with an entry of your principal name
(user at REALM.COM) with which you got your initial TGT.
try this. it should work
suresh
-----Original Message-----
From: arechenberg at shermfin.com [mailto:arechenberg at shermfin.com]
Sent: 15 March 2002 21:33
To: kerberos at mit.edu
Subject: Tickets accepted upon login but still prompted for password
I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
for telnet access. The KDC is a Windows 2000 Server (SP2). I have
successfully setup a service principal for the Linux box in the 2000
domain and I have transferred the keytab to the Linux box and imported
it into /etc/krb5.keytab.
A user can successfully obtain tickets from the KDC while logging in,
but when I try to test an automatic telnet login the user's tickets
are accepted but the user is still prompted for a password. I would
prefer the users not to be prompted once they obtain their Kerberos
tickets.
Am I missing something so obvious it's stupid? :) I have krb5-telnet
activated in xinetd and have specified it to use login.krb5. I also
have the default PAM config files for RH7.1. I have tried using
authconfig to include Kerberos authentication, but that did not make a
difference. Below are relevant configuration files and sample outputs
from a telnet session.
Any help would be greatly appreciated. Let me know if you need any
more information. Please CC: my email address with any responses.
Thank you in advance.
Regards,
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg(at)shermanfinancialgroup.com
***********************************************************
[root at rh71test ~]# telnet rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com.
Escape character is '^]'.
rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
EDT 2001) (4)
login: arechenberg
Password for arechenberg:
Last login: Fri Mar 15 10:38:46 from rh71test
[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_p31503
Default principal: arechenberg at SHERMFIN.COM
Valid starting Expires Service principal
03/15/02 10:49:24 03/15/02 20:49:24 krbtgt/SHERMFIN.COM at SHERMFIN.COM
Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
03/15/02 10:49:24 03/15/02 10:54:24
host/rh71test.shermfin.com at SHERMFIN.COM
Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
Password for arechenberg:
^^^^^^^^^^^^^^^^^^^^^^^^^
Tickets accepted, but still prompted for password. :\
[root at rh71test ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = SHERMFIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
[realms]
SHERMFIN.COM = {
kdc = mykdc.shermfin.com:88
default_domain = shermfin.com
}
[domain_realm]
.shermfin.com = SHERMFIN.COM
shermfin.com = SHERMFIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet
sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
server_args = -a valid -L /bin/login.krb5
log_on_failure += USERID
disable = no
}
[root at rh71test ~]# cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
[root at rh71test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
________________________________________________
Kerberos mailing list Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************
More information about the Kerberos
mailing list