root login via Kerberos5 - "User not known to the underlying authentication module" - why?
Russ Allbery
eagle at eyrie.org
Sat Mar 29 16:44:10 EDT 2014
Wendy Lin <wendlin1974 at gmail.com> writes:
> I turned on pam_krb5 debugging and received this in /var/log/messages:
> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
> returning "User not known to the underlying authentication module"
> What does this mean?
Based on the debugging output, I think you're using the Red Hat PAM
module, which I don't know a lot about. But just taking a wild guess, I
wonder if that module is declining to authenticate root to a principal
named root for some reason.
That configuration is rather unusual (I don't recall anyone else doing
it), and usually would constitude a potential security vulnerability where
someone who could create arbitrary principals in the KDC could gain local
root access on any system using Kerberos. (There are some environments,
where Kerberos use is less central, where local root access is more secure
than the KDCs, or at least is in a different authentication domain that
shouldn't allow lateral movement.)
With my PAM module, the ignore_root and minimum_uid configuration options
control this behavior. I'm not sure off-hand if the PAM module you're
using has similar settings.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list