Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Edgecombe, Jason jwedgeco at uncc.edu
Fri Mar 2 09:55:15 EST 2012 

Hi Russ,

I got console logins, password-based ssh logins and Kerberos ssh logins to work, but I'm puzzled by the system log output. The log messages suggest that Kerberos is not detected or used, but logins are working, tickets are granted, and tokens are obtained. From a user's perspective, everything looks fine.

Should I be concerned about the logs?

Here is my system-auth-ac PAM config:
auth        optional      pam_group.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 104 quiet
auth        sufficient    /usr/local/lib/security/pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 104 quiet
#account     [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so
account     required      /usr/local/lib/security/pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    /usr/local/lib/security/pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      /usr/local/lib/security/pam_krb5.so
session     required      pam_afs_session.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent


Here is my sshd PAM config:
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session       sufficient    /usr/local/lib/security/pam_krb5.so
session    include      system-auth
session    required     pam_loginuid.so

Here are the logs for a password-based ssh login:
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): skipping non-Kerberos login
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
Mar  2 09:49:31 myhostname sshd[32590]: Accepted password for jwedgeco from 152.15.179.130 port 50131 ssh2
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: entry
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): no context found, creating one
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore)
Mar  2 09:49:31 myhostname sshd[32590]: pam_unix(sshd:session): session opened for user jwedgeco by (uid=0)
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: entry
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): no context found, creating one
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Mar  2 09:49:31 myhostname sshd[32590]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore)
Mar  2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): pam_sm_open_session: entry (0x0)
Mar  2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): running /usr/bin/aklog as UID 12345
Mar  2 09:49:31 myhostname sshd[32590]: pam_afs_session(sshd:session): pam_sm_open_session: exit (success)


Here are the logs for a kerberized ssh login:
Mar  2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco at MYREALM (krb5_kuserok)
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): skipping non-Kerberos login
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore)
Mar  2 09:50:18 myhostname sshd[897]: Accepted gssapi-with-mic for jwedgeco from 10.17.151.248 port 33058 ssh2
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: entry
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): no context found, creating one
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore)
Mar  2 09:50:18 myhostname sshd[897]: pam_unix(sshd:session): session opened for user jwedgeco by (uid=0)
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: entry
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): no context found, creating one
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): (user jwedgeco) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
Mar  2 09:50:18 myhostname sshd[897]: pam_krb5(sshd:session): pam_sm_open_session: exit (ignore)
Mar  2 09:50:18 myhostname sshd[897]: pam_afs_session(sshd:session): pam_sm_open_session: entry (0x0)
Mar  2 09:50:18 myhostname sshd[897]: pam_afs_session(sshd:session): running /usr/bin/aklog as UID 12345
Mar  2 09:50:18 myhostname sshd[897]: pam_afs_session(sshd:session): pam_sm_open_session: exit (success)

For completeness, here are the logs for a console login:
Mar  2 09:51:02 myhostname login: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty=tty1 ruser= rhost=  user=jwedgeco
Mar  2 09:51:02 myhostname login: pam_krb5(login:auth): pam_sm_authenticate: entry
Mar  2 09:51:02 myhostname login: pam_krb5(login:auth): (user jwedgeco) attempting authentication as jwedgeco at MYREALM
Mar  2 09:51:02 myhostname login: pam_krb5(login:auth): user jwedgeco authenticated as jwedgeco at MYREALM
Mar  2 09:51:02 myhostname login: pam_krb5(login:auth): pam_sm_authenticate: exit (success)
Mar  2 09:51:02 myhostname login: pam_krb5(login:account): pam_sm_acct_mgmt: entry
Mar  2 09:51:02 myhostname login: pam_krb5(login:account): (user jwedgeco) retrieving principal from cache
Mar  2 09:51:02 myhostname login: pam_krb5(login:account): pam_sm_acct_mgmt: exit (success)
Mar  2 09:51:02 myhostname login: pam_unix(login:session): session opened for user jwedgeco by (uid=0)
Mar  2 09:51:02 myhostname login: pam_krb5(login:session): pam_sm_open_session: entry
Mar  2 09:51:02 myhostname login: pam_krb5(login:session): (user jwedgeco) initializing ticket cache /tmp/krb5cc_12345_4QvONg
Mar  2 09:51:02 myhostname login: pam_krb5(login:session): pam_sm_open_session: exit (success)
Mar  2 09:51:02 myhostname login: pam_afs_session(login:session): pam_sm_open_session: entry (0x0)
Mar  2 09:51:02 myhostname login: pam_afs_session(login:session): running /usr/bin/aklog as UID 12345
Mar  2 09:51:02 myhostname login: pam_afs_session(login:session): pam_sm_open_session: exit (success)
Mar  2 09:51:02 myhostname login: pam_krb5(login:setcred): pam_sm_setcred: entry (establish)
Mar  2 09:51:02 myhostname login: pam_krb5(login:setcred): pam_sm_setcred: exit (success)
Mar  2 09:51:02 myhostname login: LOGIN ON tty1 BY jwedgeco

Thanks,
Jason

---------------------------------------------------------------------------
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-3514
jwedgeco at MYREALM | http://coe.MYREALM |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514.  Thank you.


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery
Sent: Thursday, March 01, 2012 8:40 PM
To: Jason Edgecombe
Cc: kerberos at mit.edu
Subject: Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Jason Edgecombe <jason at rampaginggeek.com> writes:
> On 03/01/2012 07:38 PM, Russ Allbery wrote:

>> If you lock users in /etc/shadow, pam_unix will reject all logins via
>> whatever mechanism for those users.  So you either have to arrange to
>> bypass pam_unix entirely in PAM, or you need to not lock users and
>> instead just give them invalid password entries.

>> However, "*" isn't locking the account; "!" is locking the account.  At
>> least on Debian; maybe pam_unix works differently on Red Hat?

> Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM 
> logins work; only ssh is broken. I don't think that the password entries 
> is a problem.

There are two things that are obviously failing given your logs:

* pam-krb5 is not running at all during the authentication step.  This
  obviously can't be a problem with pam-krb5.  :)  Something is wrong with
  the PAM configuration.

* The account group in PAM is rejecting the login despite the fact that
  pam-krb5 is returning ignore.  I'm pretty sure that adding the missing
  ignore=ignore directive will fix this.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list