PAM Krb5

Anthony Ramm anthony at openadvantage.org
Tue Jun 1 23:26:49 UTC 2004


I have been trying to get the PAM Krb5 module to work  for the past few 
days and was wondering if it would be possible for someone to point me 
in the right direction regarding some problems I am having.  I'm using 
a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 
version 2.1.0.  When I ssh into the box I can login, but whilst I get a 
TGT allocated (I can see it being allocated on the KDC), it never gets 
put in the cache.  However, when I log onto the console I does.  It 
looks from the output of the logs that it forgets the user logging on 
has got any credentials. Also, I'm asked for the password three times, 
where I can enter nonsense, before it prompts me for root at host 
password.  I've been going around in circles for the past few days on 
this one, so I'd be really grateful of any help anyone could give me.  
I've included the contents of the log file and configuration files with 
the domain changed to EXAMPLE.COM.

Thanks in advance,

Anthony


-----------------------------------------------------------
/etc/pam.d/system-auth
-----------------------------------------------------------
auth       required     /lib/security/pam_env.so
auth       required   /usr/local/lib/security/pam_krb5.so debug
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required    /lib/security/pam_cracklib.so retry=3
password   sufficient   /usr/local/lib/security/pam_krb5.so use_authtok 
debug
password   required     /lib/security/pam_deny.so

session    required    /lib/security/pam_limits.so debug
session    required    /lib/security/pam_unix.so
session    optional     /usr/local/lib/security/pam_krb5.so debug 
tokens use_authtok

-----------------------------------------------------------
/etc/krb5.conf
-----------------------------------------------------------
[libdefaults]
         ticket_lifetime = 600
         default_realm = EXAMPLE.COM
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
         EXAMPLE.COM = {
         kdc = kerberos:88
         admin_server = kerberos:749
         }

[domain_realm]
         .example.com = EXAMPLE.COM
         example.com = EXAMPLE.COM

[logging]
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log

[appdefaults]
   pam = {
     debug = true
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false
     max_timeout = 30
     timeout_shift = 2
     initial_timeout = 1
     required_tgs = host/host.example.com
   }

-----------------------------------------------------------
Log contents
-----------------------------------------------------------
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: flags: forwardable
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: user_check
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: no krb4_convert
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: warn
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: ticket lifetime: 
36000
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: renewable lifetime: 
36000
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: banner: Kerberos 5
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: ccache dir: /tmp
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: called to 
authenticate 'root'
Jun  2 00:09:40 host sshd[25799]: pam_krb5[25799]: authenticating 
'root at EXAMPLE.COM'
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: saving newly-entered 
password for use by other modules
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: trying newly-entered 
password for 'root'
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: authenticating 
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: 
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0 
(Unknown code 0)
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: got result 0 
(Unknown code 0)
Jun  2 00:09:42 host sshd[25799]: pam_krb5[25799]: authentication 
succeeds for 'root' (root at EXAMPLE.COM)
Jun  2 00:09:42 host sshd[25797]: error: PAM: Authentication failure
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: flags: forwardable
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: user_check
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: no krb4_convert
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: warn
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: ticket lifetime: 
36000
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: renewable lifetime: 
36000
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: banner: Kerberos 5
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: ccache dir: /tmp
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: called to 
authenticate 'root'
Jun  2 00:09:42 host sshd[25800]: pam_krb5[25800]: authenticating 
'root at EXAMPLE.COM'
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: saving newly-entered 
password for use by other modules
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: trying newly-entered 
password for 'root'
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: authenticating 
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: 
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0 
(Unknown code 0)
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: got result 0 
(Unknown code 0)
Jun  2 00:09:45 host sshd[25800]: pam_krb5[25800]: authentication 
succeeds for 'root' (root at EXAMPLE.COM)
Jun  2 00:09:45 host sshd[25797]: error: PAM: Authentication failure
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: flags: forwardable
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: user_check
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: no krb4_convert
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: warn
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: ticket lifetime: 
36000
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: renewable lifetime: 
36000
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: banner: Kerberos 5
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: ccache dir: /tmp
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: called to 
authenticate 'root'
Jun  2 00:09:45 host sshd[25801]: pam_krb5[25801]: authenticating 
'root at EXAMPLE.COM'
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: saving newly-entered 
password for use by other modules
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: trying newly-entered 
password for 'root'
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: authenticating 
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: 
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0 
(Unknown code 0)
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: got result 0 
(Unknown code 0)
Jun  2 00:09:46 host sshd[25801]: pam_krb5[25801]: authentication 
succeeds for 'root' (root at EXAMPLE.COM)
Jun  2 00:09:46 host sshd[25797]: error: PAM: Authentication failure
Jun  2 00:09:46 host sshd[25797]: Failed keyboard-interactive/pam for 
root from ::ffff:10.0.1.51 port 48177 ssh2
Jun  2 00:09:52 host sshd[25797]: Accepted password for root from 
::ffff:10.0.1.51 port 48177 ssh2
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: flags: forwardable
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: user_check
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: no krb4_convert
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: warn
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: ticket lifetime: 
36000
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: renewable lifetime: 
36000
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: banner: Kerberos 5
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: ccache dir: /tmp
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:52 host sshd[25797]: pam_krb5[25797]: no v5 creds for user 
'root', skipping session setup
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: tokens
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: use_authtok
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 
36000
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 
36000
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: no v5 creds for user 
'root', skipping session setup
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm 
'EXAMPLE.COM'
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime: 
36000
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime: 
36000
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab: 
/etc/krb5.keytab
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: called to update 
credentials for 'root'
Jun  2 00:09:52 host sshd[25802]: pam_krb5[25802]: 
_pam_krb5_sly_refresh returning 0 (Success)





More information about the Pam-list mailing list