Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Russ Allbery rra at stanford.edu
Thu Mar 1 18:43:43 EST 2012 

"Edgecombe, Jason" <jwedgeco at uncc.edu> writes:

> I have Russ Allbery's pam_krb5 and pam_afs_session modules working for
> console logins, but they fail for ssh logins (both password and
> kerberized).  I can get ssh logins to work with RedHat's pam_krb5
> module, but RedHat's module causes problems with AFS tokens and Gnome
> (gconfd).  Disabling ssh privilege separation doesn't make a
> difference. Any help is appreciated.

> Platform: RHEL 5.6 x86_64

> Here is the log from the password login:
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login
> Mar  1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
> Mar  1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration

The first thing that jumps out here is that apparently the auth
functionality of pam-krb5 never ran.  Either that, or debug wasn't enabled
for auth, but the account group is also saying that the user didn't log on
with Kerberos.

> Contents of /etc/pam.d/system-auth-ac:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        optional      pam_group.so
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 104 quiet
> auth        sufficient    /usr/local/lib/security/pam_krb5.so use_first_pass
> auth        required      pam_deny.so

Does the user's UNIX password match their Kerberos password?  If so, then
pam_unix will succeed and nothing subsequent to that will run, so no
Kerberos authentication was ever performed.

> Here is the log from the kerberized login:

This is a different problem.

> Mar  1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco at MYREALM (krb5_kuserok)
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login
> Mar  1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)

This part is expected, I think.  The account group for pam-krb5 only makes
sense in combination with a password authentication.  If you authenticate
via GSS-API, sshd is responsible for doing the authorization check and
there isn't anything for PAM to do.

> Mar  1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration

> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 104 quiet
> account     [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so
> account     required      pam_permit.so

default=bad is mapping ignore to fail.  You need to add ignore=ignore to
your configuration for the pam_krb5 line.  (You don't need
user_unknown=ignore for my PAM module; it won't return user_unknown unless
validation of a Kerberos login actually fails.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list