Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Edgecombe, Jason jwedgeco at uncc.edu
Thu Mar 1 16:47:35 EST 2012 

Hi everyone,

I have Russ Allbery's pam_krb5 and pam_afs_session modules working  for console logins, but they fail for ssh logins (both password and kerberized).  I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd).  Disabling ssh privilege separation doesn't make a difference. Any help is appreciated.

Platform: RHEL 5.6 x86_64

Here is the log from the password login:
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login
Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
Mar  1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration

Here is the log from the kerberized login:
Mar  1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco at MYREALM (krb5_kuserok)
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login
Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
Mar  1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration

Contents of /etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        optional      pam_group.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 104 quiet
auth        sufficient    /usr/local/lib/security/pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 104 quiet
account     [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    /usr/local/lib/security/pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      /usr/local/lib/security/pam_krb5.so
session     required      pam_afs_session.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent

Contents of /etc/pam.d/sshd:
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session       sufficient    /usr/local/lib/security/pam_krb5.so
session    include      system-auth
session    required     pam_loginuid.so

Contents of /etc/ssh/sshd_config:
Protocol 2
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UsePrivilegeSeparation yes
ShowPatchLevel no
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Thanks,
Jason


---------------------------------------------------------------------------
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-3514
jwedgeco at MYREALM<mailto:jwedgeco at uncc.edu> | http://coe.MYREALM<http://coe.uncc.edu/> | [Description: facebook-logo] <https://www.facebook.com/UNCCEngr>  Facebook<https://www.facebook.com/UNCCEngr>
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514.  Thank you.

More information about the Kerberos mailing list