Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Edgecombe, Jason jwedgeco at uncc.edu
Fri Mar 2 16:38:38 EST 2012


Ah, I do have "KerberosAuthentication yes" in my sshd config. Does pam_afs_session still run, then?

---------------------------------------------------------------------------
Jason Edgecombe | Linux and Solaris Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-3514
jwedgeco at uncc.edu | http://coe.uncc.edu |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-3514.  Thank you.


-----Original Message-----
From: Russ Allbery [mailto:rra at stanford.edu] 
Sent: Friday, March 02, 2012 4:02 PM
To: Edgecombe, Jason
Cc: 'kerberos at mit.edu'
Subject: Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5

"Edgecombe, Jason" <jwedgeco at uncc.edu> writes:

> I got console logins, password-based ssh logins and Kerberos ssh logins
> to work, but I'm puzzled by the system log output. The log messages
> suggest that Kerberos is not detected or used, but logins are working,
> tickets are granted, and tokens are obtained. From a user's perspective,
> everything looks fine.

> Should I be concerned about the logs?

[...]

> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 104 quiet
> #account     [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so
> account     required      /usr/local/lib/security/pam_krb5.so
> account     required      pam_permit.so

Ah, yes, that's a reasonable fix.

> Here are the logs for a password-based ssh login:

This part looks normal.  pam-krb5 doesn't really have anything to do when
logging on with GSS-API.

> Here are the logs for a kerberized ssh login:
> Mar  2 09:50:18 myhostname sshd[897]: Authorized to jwedgeco, krb5 principal jwedgeco at MYREALM (krb5_kuserok)

This log message is interesting.  This makes it look like sshd is doing
Kerberos authentication internally rather than using PAM.

Could you double-check your sshd_config and make sure that it says
something like:

    UsePAM yes

and does *not* say:

    KerberosAuthentication yes

I think you may have the latter setting, which tells sshd to do its own
Kerberos password authentication, bypassing PAM.  If that's working for
you, then by all means use it, but just be aware that it doesn't use PAM
and therefore none of your PAM configuration or settings will affect it
and your authentication group will be ignored.

> For completeness, here are the logs for a console login:

This looks like what I'd expect.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list