[Fwd: pam_krb5 and sshd]

Arno Schuring <aelschuring@xxxxxxxxxxx> · Sun, 28 Feb 2010 15:32:39 +0100

[[Resending because the newsgroup doesn't appear particularly active.
Apologies to those who receive my request twice]]

Hello list,

Can anyone clarify the following log excerpt for me? I'm trying to setup
Kerberos authentication for a small number of hosts, but on both test
machines I can not login via ssh with Kerberos/LDAP user accounts (local
accounts work fine):

Feb 28 14:48:38 gnome sshd[1816]: Failed publickey for aschuring from
172.22.21.58 port 50322 ssh2
Feb 28 14:48:40 gnome sshd[1816]: pam_krb5(sshd:auth):
pam_sm_authenticate: entry (0x1)
Feb 28 14:48:40 gnome sshd[1816]: pam_krb5(sshd:auth): (user aschuring)
attempting authentication as aschuring@xxxxxxxxx
Feb 28 14:48:41 gnome sshd[1816]: pam_krb5(sshd:auth): user aschuring
authenticated as aschuring@xxxxxxxxx
Feb 28 14:48:41 gnome sshd[1816]: pam_krb5(sshd:auth):
pam_sm_authenticate: exit (success)
Feb 28 14:48:41 gnome sshd[1816]: debug1: PAM: password authentication
accepted for aschuring
Feb 28 14:48:41 gnome sshd[1816]: debug1: do_pam_account: called
Feb 28 14:48:41 gnome sshd[1816]: Failed password for aschuring from
172.22.21.58 port 50322 ssh2
Feb 28 14:48:41 gnome sshd[1816]: debug1: do_cleanup
Feb 28 14:48:41 gnome sshd[1816]: debug1: PAM: cleanup

As you can see, the Kerberos authentication works fine, but it appears
that the account phase subsequently rejects the login. But the account
does exist, and is known though LDAP:

root@gnome:/# id aschuring
uid=10000(aschuring) gid=10000(aschuring) groups=27(sudo),10000(aschuring)

Here is the relevant PAM configuration (unmodified Debian Squeeze):
==> /etc/pam.d/sshd <==
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth

account    required     pam_nologin.so
@include common-account

==> /etc/pam.d/common-account <==
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000

==> /etc/pam.d/common-auth <==
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 debug
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
try_first_pass debug
auth    requisite                       pam_deny.so debug
auth    required                        pam_permit.so debug

Thanks for any pointers you can give me,

Arno Schuring

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list