password expiration/change request fails to ask

Douglas E. Engert deengert at anl.gov
Tue Oct 13 18:09:51 EDT 2009



Jeff Blaine wrote:
> Solaris 10 SPARC OS
> Solaris 10 / Sun sshd
> MIT Kerberos 1.7
> Russ Alberry's fantastic pam_krb5 3.15 linked to above
> 
> Solaris 9 + MIT Kerberos + RA pam_krb5 works!
> 
> RHELv5 with stock MIT Kerberos + RA pam_krb5 works!
> 
> The setup above fails.
> 
> On the client side, I merely see "Permission denied."
> instead of being asked to change my expired password.
> 
> If anyone has any ideas, I would love to hear them.
> 
> % ssh cairo
> jblaine at cairo's password:
> Permission denied, please try again.
> 
> #
> # all krb5kdc.log info matching the timestamp
> #
> Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 
> 1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jblaine at FOO.COM for 
> krbtgt/FOO.COM at FOO.COM, Password has expired
> Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 
> 1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 
> ses=16}, jblaine at FOO.COM for kadmin/changepw at FOO.COM
> 
> 
> #
> # all *.debug syslog info matching the timestamp
> #
> Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
> jblaine: attempting authentication as jblaine at FOO.COM
> Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
> jblaine: krb5_get_init_creds_password: Generic error (see e-text)
> Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
> jblaine: pam_sm_authenticate: exit (failure)
> Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed 
> password for jblaine from xxx.xx.xx.xxx port 36735 ssh2
> 
> #
> # /etc/pam.conf
> #
> sshd-password auth requisite    pam_authtok_get.so.1
> sshd-password auth sufficient   pam_krb5RA.so try_first_pass forwardable 
> minimum_uid=92 debug
> sshd-password auth required     pam_unix_auth.so.1
> sshd-password auth required     pam_unix_cred.so.1
> sshd-password auth optional     pam_afs_session.so minimum_uid=92 debug
> sshd-password session optional  pam_krb5RA.so minimum_uid=92 debug
> sshd-password session optional  pam_afs_session.so minimum_uid=92 debug
> 

I think you also need:
   sshd_password password required pam_krb5RA.so minimum_uid=92 debug
(and a copy of the "other password" entries as needed)

I bet it is using the "other" password entries and not calling pam_krb5RA.so


I would also use PAMAuthenticationViaKBDInt yes and in pam.conf: sshd-kbdint


One way to test is to see what pam modules are being called by
adding a /etc/pam_debug files with:
debug_flags=0x37
log_priority=7
log_facility=1
#1024 max size of this file
#http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libpam/pam_framework.c
# flags=0  turn off, or no file
#        8 is for pam.conf parse


> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list