Can use kerberized telnet, but cannot use pam_krb5

Wed Feb 1 09:54:07 EST 2006

* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:

> ----------- snip ----------
> # PAM configuration for OpenVPN
> auth                sufficient          pam_krb5.so debug ignore_root
> account             required            pam_krb5.so debug ignore_root
> ----------- snip ----------

I added 

auth    sufficient      pam_krb5.so debug try_first_pass

to /etc/pam.d/common.auth; I can log in using ssh and in the log I find:

Feb  1 15:38:51 vpn-gw-int sshd[1807]: (pam_krb5): none: pam_sm_authenticate: entry
Feb  1 15:38:53 vpn-gw-int sshd[1807]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
Feb  1 15:38:53 vpn-gw-int sshd[1807]: (pam_krb5): hildeb: pam_sm_authenticate: exit (success)
Feb  1 15:38:53 vpn-gw-int sshd[1805]: Accepted keyboard-interactive/pam for hildeb from 160.45.172.180 port 51032 ssh2
Feb  1 15:38:53 vpn-gw-int sshd[1808]: (pam_unix) session opened for user hildeb by (uid=0)
Feb  1 15:38:53 vpn-gw-int sshd[1808]: (pam_krb5): none: pam_sm_setcred: entry (0x8)
Feb  1 15:38:53 vpn-gw-int sshd[1808]: (pam_krb5): none: pam_sm_setcred: no context found, creating one
Feb  1 15:38:53 vpn-gw-int sshd[1808]: (pam_krb5): hildeb: found initial ticket cache at /tmp/krb5cc_pam_oZd4wH
Feb  1 15:38:53 vpn-gw-int sshd[1808]: (pam_krb5): hildeb: pam_sm_setcred: exit (success)

and when I log out:

Feb  1 15:39:24 vpn-gw-int sshd[1808]: (pam_krb5): none: pam_sm_setcred: entry (0x4)
Feb  1 15:39:24 vpn-gw-int sshd[1808]: (pam_krb5): hildeb: krb5_cc_destroy: ctx->cache: /tmp/krb5cc_pam_oZd4wH
Feb  1 15:39:24 vpn-gw-int sshd[1808]: (pam_unix) session closed for user hildeb

So I assume Kerberos Authentication does indeed work.

> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_authenticate: entry
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: openvpn-krb5
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): hildeb: pam_sm_authenticate: exit (success)
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_acct_mgmt: entry

So where is the difference here?

Only the line "(pam_krb5): none: pam_sm_acct_mgmt: entry"
which cannot be found in the "working" ssh example.

On
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/pam_overview.htm
I find:

------------ snip --------------
Account Management Modules 

Determine validity of the user account and subsequent access after
identification from authentication module. Checks performed by these
modules typically include account expiration and password restrictions. 

Account management module function:
pam_sm_acct_mgmt
------------ snip --------------

-- 
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt at charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to spamtrap at charite.de