disabling krb524d attempts - causes login hangs
Fletcher Cocquyt
fcocquyt at stanford.edu
Fri Dec 19 12:16:13 EST 2008
Greg Hudson <ghudson <at> mit.edu> writes:
>
> On Fri, 2008-12-19 at 14:41 +0000, Fletcher Cocquyt wrote:
> > How can we explicitly disable the krb524 communication attempt (campus does
not
> > run that service)
>
> Ken's suggestions will work at a global level without requiring changes
> to client configuration, which may be advantageous. But I read your
> question as asking about client configuration, so:
>
> First, find where pam_krb5 is configured in your system's PAM
> configuration. grepping for krb5 in /etc/pam.d/* will probably turn it
> up.
>
> Second, consult the pam_krb5 man page (if you have one) to see what
> option to use to turn it off. It may be "convert_krb4=false". Append
> that to the pam_krb5 configuration line.
>
So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb
and the only pam.d with krb config) I set:
krb4_convert=false krb4_convert_524=false
krb4_convert
tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition
to Kerberos 5 credentials, using either a v4-capable KDC or This option is
poorly named. This option is automatically enabled if AFS is detected.
krb4_convert_524
tells pam_krb5.so to obtain Kerberos IV credentials for users using the
krb524 service. This option modifies the krb4_convert option. If disabled,
pam_krb5 will only attempt to obtain Kerberos IV credentials using the KDC.
per the man page: http://linux.die.net/man/8/pam_krb5
It had no effect - even after restarting the sshd service
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]:
krb5_get_init_creds_password(krbtgt/stanford.edu at stanford.edu) returned 0
(Success)
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: got result 0
(Success)
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtaining
v4-compatible key
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtained des-cbc-crc
v5 creds
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: converting v5 creds
to v4 creds (etype = 1)
my system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass debug krb4_convert=false
krb4_convert_524=false
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
krb4_convert=false krb4_convert_524=false
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok krb4_convert=false
krb4_convert_524=false
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_krb5.so krb4_convert=false krb4_convert_524=false
thanks for any tips
More information about the Kerberos
mailing list