Can't get Russ' pam_krb5 module to work with ssh on RHEL5

[Russ Allbery]

"Edgecombe, Jason" <jwedgeco at uncc.edu> writes:

> I got console logins, password-based ssh logins and Kerberos ssh logins
> to work, but I'm puzzled by the system log output. The log messages
> suggest that Kerberos is not detected or used, but logins are working,
> tickets are granted, and tokens are obtained. From a user's perspective,
> everything looks fine.

> Should I be concerned about the logs?

[...]

> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 104 quiet
> #account     [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so
> account     required      /usr/local/lib/security/pam_krb5.so
> account     required      pam_permit.so

Ah, yes, that's a reasonable fix.

> Here are the logs for a password-based ssh login:

This part looks normal.  pam-krb5 doesn't really have anything to do when
logging on with GSS-API.

> Here are the logs for a kerberized ssh login:
> Mar  2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco at MYREALM (krb5_kuserok)

This log message is interesting.  This makes it look like sshd is doing
Kerberos authentication internally rather than using PAM.

Could you double-check your sshd_config and make sure that it says
something like:

    UsePAM yes

and does *not* say:

    KerberosAuthentication yes

I think you may have the latter setting, which tells sshd to do its own
Kerberos password authentication, bypassing PAM.  If that's working for
you, then by all means use it, but just be aware that it doesn't use PAM
and therefore none of your PAM configuration or settings will affect it
and your authentication group will be ignored.

> For completeness, here are the logs for a console login:

This looks like what I'd expect.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>