pam_krb5 questions

Techie techchavez at gmail.com
Sun Jul 18 22:36:51 EDT 2010 

Russ,

I have your pam_krb5 module working with RHEL5 but I am having issues
on RHEL4. When I replace the RHEL pam_krb5 with the eyrie module I
can't log in. It looks like the pam_krb5 is indeed aurthenticating me
though as seen below, well it says authenticated as the krb user. I am
using the newest module or 4.3. Looks like pam_krb5 is authenticating
but pam_unix is choking even though pam_krb5 is sufficient. As I said
if I use the RHEL module it works but I need the extra functionality
of your module. Will an older version of your module work possibly?

I am thinking the "sshd: PAM pam_parse: expecting return value;
[...suficient]" may be the issue as seen below.

Thanks
TC


##Secure log##
sshd[28791]: pam_krb5(sshd): pam_sm_authenticate: entry (0x1)
sshd[28791]: pam_krb5(sshd): user joe_johnson authenticated as
joe_johnson at EXAMPLE.COM
sshd[28791]: pam_krb5(sshd): pam_sm_authenticate: exit (success)
sshd[28791]: Failed password for joe_johnson from ::ffff:127.0.0.1
port 34431 ssh2
sshd[28792]: Connection closed by ::ffff:127.0.0.1

##Messages Log##
sshd: PAM pam_parse: expecting return value; [...suficient]
sshd(pam_unix)[28825]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=rhel4test  user=joe_johnson



On Thu, Jul 15, 2010 at 2:54 PM, Russ Allbery <rra at stanford.edu> wrote:
> Techie <techchavez at gmail.com> writes:
>
>>> I don't know of any reason why it shouldn't work with sudo, but I don't
>>> personally use sudo and don't have any simple way to test.  I'd need to
>>> see the debug log output to understand exactly what it's doing.
>
>> You are right Russ, It was my mistake.
>> You don't use sudo! What do you use?
>
> ksu, or probably more accurately, we use Puppet to do all of the regular
> configuration management and to ensure services are running, so the small
> handful of times when we need root access to debug something, we just ksu
> or log in as root.
Good to know, I looked at ksu, it has got me interested.
>
> We do use sudo a few places to grant normal users access to do things like
> run specific init scripts, but we always use NOPASSWD for those cases.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list