root login via Kerberos5 - "User not known to the underlying authentication module" - why?
Wendy Lin
wendlin1974 at gmail.com
Sat Mar 29 17:09:34 EDT 2014
On 29 March 2014 21:44, Russ Allbery <eagle at eyrie.org> wrote:
> Wendy Lin <wendlin1974 at gmail.com> writes:
>
>> I turned on pam_krb5 debugging and received this in /var/log/messages:
>
>> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
>> returning "User not known to the underlying authentication module"
>
>> What does this mean?
>
> Based on the debugging output, I think you're using the Red Hat PAM
> module, which I don't know a lot about. But just taking a wild guess, I
> wonder if that module is declining to authenticate root to a principal
> named root for some reason.
>
> That configuration is rather unusual (I don't recall anyone else doing
> it), and usually would constitude a potential security vulnerability where
> someone who could create arbitrary principals in the KDC could gain local
> root access on any system using Kerberos. (There are some environments,
> where Kerberos use is less central, where local root access is more secure
> than the KDCs, or at least is in a different authentication domain that
> shouldn't allow lateral movement.)
KDC here is controlled by root, and root on all machines is all the
same person, so in our case its not a problem
> With my PAM module, the ignore_root and minimum_uid configuration options
> control this behavior. I'm not sure off-hand if the PAM module you're
> using has similar settings.
strings /lib64/security/pam_krb5.so | fgrep ignore_root
yields no matches.
/etc/krb5.conf has these entries for pam:
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 0
clockskew = 300
external = sshd
use_shmem = sshd
debug = true
}
Wendy
More information about the Kerberos
mailing list