PAM and GSSAPI SSH authentication conflict

Rachel Elizabeth Dillon red at MIT.EDU
Fri Oct 8 14:12:43 EDT 2004 

I am building a network that uses Kerberos for authentication. The original
plan was to have a single bastion host to which users sshed, and logged in
using their Kerberos password. From that bastion host, users could then 
ssh to any other machine on the network, authenticatning via forwardable
Kerberos tickets and GSSAPI. I had this working. But, as always happens
with these things, requirements changed.

I am currently evaluating the feasibility of having every machine on the
network accept either Kerberos tickets or a Kerberos password as an
authentication mechanism. I believe that this _should_ work, but I haven't
been able to make it work. I have the following lines in /etc/pam.conf :

ssh             auth    required        pam_krb5.so.1 try_first_pass 
ssh             account required        pam_krb5.so.1 
ssh             session required        pam_krb5.so.1 
ssh             password required       pam_krb5.so.1 try_first_pass

If I comment these lines out, I get authentication just fine without
tickets but, unsurprisingly, no password-based authentication via PAM.
With the lines in place, if I ssh in with appropriate Kerberos tickets,
I get a host ticket but the following error in sshd -d -d -d :

debug1: userauth-request for user ptadmin service ssh-connection method external-keyx
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method external-keyx
Authorized to ptadmin, krb5 principal ptadmin at IC.COM (krb5_kuserok)
debug2: pam_acct_mgmt() = 17
PAM rejected by account configuration[17]: User account has expired

To the best of my knowledge the account is not expired, since it can log 
in just fine either with its Kerberos password or with those lines commented
out. I tried googling on this phrase and found a variety of errors related
to password expiry (reasonable), but this user account does not even _have_ 
a local password; no accounts do in our system. I would expect Solaris to
do the right thing and not count them as expired passwords in this case, but
maybe PAM gets tripped up? I'm not sure.

Anyway, any help would be appreciated. I'm using stock Debian OpenSSH 3.6,
except recompiled for Solaris.

Thanks!

-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041008/1bc5edbe/attachment.bin

More information about the Kerberos mailing list