PAM Krb5
Anthony Ramm
anthony at openadvantage.org
Tue Jun 1 23:26:49 UTC 2004
I have been trying to get the PAM Krb5 module to work for the past few
days and was wondering if it would be possible for someone to point me
in the right direction regarding some problems I am having. I'm using
a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5
version 2.1.0. When I ssh into the box I can login, but whilst I get a
TGT allocated (I can see it being allocated on the KDC), it never gets
put in the cache. However, when I log onto the console I does. It
looks from the output of the logs that it forgets the user logging on
has got any credentials. Also, I'm asked for the password three times,
where I can enter nonsense, before it prompts me for root at host
password. I've been going around in circles for the past few days on
this one, so I'd be really grateful of any help anyone could give me.
I've included the contents of the log file and configuration files with
the domain changed to EXAMPLE.COM.
Thanks in advance,
Anthony
-----------------------------------------------------------
/etc/pam.d/system-auth
-----------------------------------------------------------
auth required /lib/security/pam_env.so
auth required /usr/local/lib/security/pam_krb5.so debug
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /usr/local/lib/security/pam_krb5.so use_authtok
debug
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so debug
session required /lib/security/pam_unix.so
session optional /usr/local/lib/security/pam_krb5.so debug
tokens use_authtok
-----------------------------------------------------------
/etc/krb5.conf
-----------------------------------------------------------
[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = kerberos:88
admin_server = kerberos:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
max_timeout = 30
timeout_shift = 2
initial_timeout = 1
required_tgs = host/host.example.com
}
-----------------------------------------------------------
Log contents
-----------------------------------------------------------
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flags: forwardable
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: user_check
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: no krb4_convert
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: flag: warn
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ticket lifetime:
36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: renewable lifetime:
36000
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: banner: Kerberos 5
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: ccache dir: /tmp
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: keytab:
/etc/krb5.keytab
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: called to
authenticate 'root'
Jun 2 00:09:40 host sshd[25799]: pam_krb5[25799]: authenticating
'root at EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: saving newly-entered
password for use by other modules
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: trying newly-entered
password for 'root'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authenticating
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]:
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0
(Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: got result 0
(Unknown code 0)
Jun 2 00:09:42 host sshd[25799]: pam_krb5[25799]: authentication
succeeds for 'root' (root at EXAMPLE.COM)
Jun 2 00:09:42 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flags: forwardable
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: user_check
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: no krb4_convert
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: flag: warn
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ticket lifetime:
36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: renewable lifetime:
36000
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: banner: Kerberos 5
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: ccache dir: /tmp
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: keytab:
/etc/krb5.keytab
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: called to
authenticate 'root'
Jun 2 00:09:42 host sshd[25800]: pam_krb5[25800]: authenticating
'root at EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: saving newly-entered
password for use by other modules
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: trying newly-entered
password for 'root'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authenticating
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]:
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0
(Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: got result 0
(Unknown code 0)
Jun 2 00:09:45 host sshd[25800]: pam_krb5[25800]: authentication
succeeds for 'root' (root at EXAMPLE.COM)
Jun 2 00:09:45 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flags: forwardable
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: user_check
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: no krb4_convert
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: flag: warn
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ticket lifetime:
36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: renewable lifetime:
36000
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: banner: Kerberos 5
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: ccache dir: /tmp
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: keytab:
/etc/krb5.keytab
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: called to
authenticate 'root'
Jun 2 00:09:45 host sshd[25801]: pam_krb5[25801]: authenticating
'root at EXAMPLE.COM'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: saving newly-entered
password for use by other modules
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: trying newly-entered
password for 'root'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authenticating
'root at EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM at EXAMPLE.COM'
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]:
krb5_get_init_creds_password(krbtgt/EXAMPLE.COM at EXAMPLE.COM) returned 0
(Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: got result 0
(Unknown code 0)
Jun 2 00:09:46 host sshd[25801]: pam_krb5[25801]: authentication
succeeds for 'root' (root at EXAMPLE.COM)
Jun 2 00:09:46 host sshd[25797]: error: PAM: Authentication failure
Jun 2 00:09:46 host sshd[25797]: Failed keyboard-interactive/pam for
root from ::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: Accepted password for root from
::ffff:10.0.1.51 port 48177 ssh2
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flags: forwardable
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: user_check
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: flag: warn
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ticket lifetime:
36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: renewable lifetime:
36000
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: keytab:
/etc/krb5.keytab
Jun 2 00:09:52 host sshd[25797]: pam_krb5[25797]: no v5 creds for user
'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: tokens
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: use_authtok
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime:
36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime:
36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab:
/etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: no v5 creds for user
'root', skipping session setup
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: default/local realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: configured realm
'EXAMPLE.COM'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flags: forwardable
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: user_check
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: no krb4_convert
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: flag: warn
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ticket lifetime:
36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: renewable lifetime:
36000
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: banner: Kerberos 5
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: ccache dir: /tmp
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: keytab:
/etc/krb5.keytab
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]: called to update
credentials for 'root'
Jun 2 00:09:52 host sshd[25802]: pam_krb5[25802]:
_pam_krb5_sly_refresh returning 0 (Success)
More information about the Pam-list
mailing list