.k5login and krb5.conf syntax errors
Christopher D. Clausen
cclausen at acm.org
Wed Sep 6 10:52:13 EDT 2006
Last night I found out the hard way that if a user creates a .k5login
file that isn't correct, (has Windows linebreaks or has multiple
pricipal names on the same line) that they cannot login at all to
systems using pam-krb5 for authentication. (This is on Ubuntu 6.06 on
x86.) Further, no error is listed in the auth.log at all.
Similarly, I've been completely locked out of systems if there are
syntax errors in the krb5.conf file and I've seen Windows BSOD if the
system krb5.ini isn't correct. Is there no way to have a fail-safe
method of operation?
Is this an issue with pam-krb5 (I believe that the Debian pam-kr5 is in
use on Ubuntu) or with the MIT Kerberos libraries themselves? Is this
expected behavior? Or is there a way to be warned about such syntax
errors instead of having authentication fail silently?
versions of various things are:
[cclausen at raven:/]% COLUMNS=120 dpkg -l "*krb5*" | cut -c0-54
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-co
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (S
||/ Name Version
+++-========================-========================-
ii krb5-clients 1.4.3-5ubuntu0.1
ii krb5-config 1.7
ii krb5-user 1.4.3-5ubuntu0.1
ii libkrb5-dev 1.4.3-5ubuntu0.1
ii libkrb53 1.4.3-5ubuntu0.1
ii libpam-krb5 1.2.0-3
ii openafs-krb5 1.4.1-2
Any pointers / info would be appreciated.
<<CDC
--
Christopher D. Clausen
ACM at UIUC SysAdmin
More information about the Kerberos
mailing list