disabling krb524d attempts - causes login hangs

Fletcher Cocquyt fcocquyt at stanford.edu
Fri Dec 19 12:16:13 EST 2008

Greg Hudson <ghudson <at> mit.edu> writes:

> On Fri, 2008-12-19 at 14:41 +0000, Fletcher Cocquyt wrote:
> > How can we explicitly disable the krb524 communication attempt (campus does
> > run that service)
> Ken's suggestions will work at a global level without requiring changes
> to client configuration, which may be advantageous.  But I read your
> question as asking about client configuration, so:
> First, find where pam_krb5 is configured in your system's PAM
> configuration.  grepping for krb5 in /etc/pam.d/* will probably turn it
> up.
> Second, consult the pam_krb5 man page (if you have one) to see what
> option to use to turn it off.  It may be "convert_krb4=false".  Append
> that to the pam_krb5 configuration line.
So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb

and the only pam.d with krb config) I set: 

krb4_convert=false krb4_convert_524=false

    tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition

to Kerberos 5 credentials, using either a v4-capable KDC or This option is

poorly named. This option is automatically enabled if AFS is detected. 


    tells pam_krb5.so to obtain Kerberos IV credentials for users using the

krb524 service. This option modifies the krb4_convert option. If disabled,

pam_krb5 will only attempt to obtain Kerberos IV credentials using the KDC. 

per the man page: http://linux.die.net/man/8/pam_krb5

It had no effect - even after restarting the sshd service

Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]:
krb5_get_init_creds_password(krbtgt/stanford.edu at stanford.edu) returned 0
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: got result 0 

Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtaining

v4-compatible key
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtained des-cbc-crc

v5 creds
Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: converting v5 creds

to v4 creds (etype = 1)

my system-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass debug krb4_convert=false

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

krb4_convert=false krb4_convert_524=false
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
password    sufficient    pam_krb5.so use_authtok krb4_convert=false

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet

session     required      pam_unix.so
session     optional      pam_krb5.so krb4_convert=false krb4_convert_524=false

thanks for any tips

More information about the Kerberos mailing list