PAM Krb5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have been trying to get the PAM Krb5 module to work for the past few days and was wondering if it would be possible for someone to point me in the right direction regarding some problems I am having. I'm using a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version 2.1.0. When I ssh into the box I can login, but whilst I get a TGT allocated (I can see it being allocated on the KDC), it never gets put in the cache. However, when I log onto the console I does. It looks from the output of the logs that it forgets the user logging on has got any credentials. Also, I'm asked for the password three times, where I can enter nonsense, before it prompts me for root@host password. I've been going around in circles for the past few days on this one, so I'd be really grateful of any help anyone could give me. I've included the contents of the log file and configuration files with the domain changed to EXAMPLE.COM.

Thanks in advance,

Anthony


-----------------------------------------------------------
/etc/pam.d/system-auth
-----------------------------------------------------------
auth       required     /lib/security/pam_env.so
auth       required   /usr/local/lib/security/pam_krb5.so debug
auth       required     /lib/security/pam_deny.so

account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3
password sufficient /usr/local/lib/security/pam_krb5.so use_authtok debug
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so debug
session required /lib/security/pam_unix.so
session optional /usr/local/lib/security/pam_krb5.so debug tokens use_authtok

-----------------------------------------------------------
/etc/krb5.conf
-----------------------------------------------------------
[libdefaults]
        ticket_lifetime = 600
        default_realm = EXAMPLE.COM
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        EXAMPLE.COM = {
        kdc = kerberos:88
        admin_server = kerberos:749
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    max_timeout = 30
    timeout_shift = 2
    initial_timeout = 1
    required_tgs = host/host.example.com
  }

-----------------------------------------------------------
Log contents
-----------------------------------------------------------
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flags: forwardable
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: user_check
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: no krb4_convert
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: warn
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ticket lifetime: 36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: renewable lifetime: 36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: banner: Kerberos 5
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ccache dir: /tmp
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: keytab: /etc/krb5.keytab
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: called to authenticate 'root'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: saving newly-entered password for use by other modules
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: trying newly-entered password for 'root'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: got result 0 (Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:42 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flags: forwardable
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: user_check
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: no krb4_convert
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: warn
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ticket lifetime: 36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: renewable lifetime: 36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: banner: Kerberos 5
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ccache dir: /tmp
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: keytab: /etc/krb5.keytab
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: called to authenticate 'root'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: saving newly-entered password for use by other modules
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: trying newly-entered password for 'root'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: got result 0 (Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:45 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flags: forwardable
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: user_check
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: no krb4_convert
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: warn
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ticket lifetime: 36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: renewable lifetime: 36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: banner: Kerberos 5
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ccache dir: /tmp
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: keytab: /etc/krb5.keytab
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: called to authenticate 'root'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: authenticating 'root@xxxxxxxxxxx'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: saving newly-entered password for use by other modules
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: trying newly-entered password for 'root'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authenticating 'root@xxxxxxxxxxx' to 'krbtgt/EXAMPLE.COM@xxxxxxxxxxx'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@xxxxxxxxxxx) returned 0 (Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: got result 0 (Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authentication succeeds for 'root' (root@xxxxxxxxxxx)
Jun 2 00:09:46 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:46 host sshd[25797]: Failed keyboard-interactive/pam for root from ::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: Accepted password for root from ::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flags: forwardable
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: user_check
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: warn
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: no v5 creds for user 'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: tokens
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: use_authtok
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: no v5 creds for user 'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: /etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: called to update credentials for 'root'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: _pam_krb5_sly_refresh returning 0 (Success)


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux