pam_krb5 does not get credentials when using ssh

Douglas E. Engert deengert at anl.gov
Thu Nov 9 10:30:33 EST 2006 


Andrew Bovill wrote:
> On Wed, 08 Nov 2006 06:06:34 +0000, Andrew Bovill wrote:
> 
> 
>>pam_krb5 gives credentials (using a 'random' cache) just fine when loging
>>in on the local machine. However, if I log in over ssh, it does not get
>>the krb5 tickets, though it authenticates off kerberos just fine. I am
>>appending my pam config for system authentication:
> 
> 
> I forgot to mention, the sshd server I'm using is kerberized:
> OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006 with kerberos support.
> 

On what OS?

Which pam_krb5? There are a few different versions with different options.

Something to keep in mind:

  *  KerberosAuthentication yes, KerberosOrLocalPasswd yes and
     KerberosTicketCleanup yes all apply to password authentication,
     where sshd calls kerberos directly. (You may not want this.)

  *  Keyboard interactive is handled by PAM, that can use Kerberos
     if pam_krb5 is successful. (Preffered method.)

  *  GSSAPI authentication is using kerberos tickets, and sshd
     will call the pam session routines so as to handle delegated
     credentials, i.e. forwarded tickets.

  * Some sshd implementaitons will uss a different pam service name
    depending on the method used. I don't think OpenSSH-4.x does.

So there are two seperate paths to consider, keyboard-interactive
for passwords, and gssapi-with-mic for Kerberos ticket authenticaiton.

With keyboard-interactive, privsep may get in the way. If your pam_krb5
has a force type option, to store the tickets during pam_sm_authenticate,
rather the pam_sm_setcreds. give that a try.

With gssapi-with-mic, sshd store any delegated credentials (i.e. ssh_config
or user had set GSSAPIDelegateCredentials yes) and set KRB5CCNAME
in the pam_env, and call the pam_open_session. (This is where AFS could
use these, but you are not using AFS.) In you case there is nothing
to do.

> --Andrew
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list