[Fwd: pam_krb5 and sshd]

Arno Schuring aelschuring at hotmail.com
Sun Feb 28 14:32:39 UTC 2010 

[[Resending because the newsgroup doesn't appear particularly active.
Apologies to those who receive my request twice]]


Hello list,

Can anyone clarify the following log excerpt for me? I'm trying to setup
Kerberos authentication for a small number of hosts, but on both test
machines I can not login via ssh with Kerberos/LDAP user accounts (local
accounts work fine):


Feb 28 14:48:38 gnome sshd[1816]: Failed publickey for aschuring from
172.22.21.58 port 50322 ssh2
Feb 28 14:48:40 gnome sshd[1816]: pam_krb5(sshd:auth):
pam_sm_authenticate: entry (0x1)
Feb 28 14:48:40 gnome sshd[1816]: pam_krb5(sshd:auth): (user aschuring)
attempting authentication as aschuring at LOOS.SITE
Feb 28 14:48:41 gnome sshd[1816]: pam_krb5(sshd:auth): user aschuring
authenticated as aschuring at LOOS.SITE
Feb 28 14:48:41 gnome sshd[1816]: pam_krb5(sshd:auth):
pam_sm_authenticate: exit (success)
Feb 28 14:48:41 gnome sshd[1816]: debug1: PAM: password authentication
accepted for aschuring
Feb 28 14:48:41 gnome sshd[1816]: debug1: do_pam_account: called
Feb 28 14:48:41 gnome sshd[1816]: Failed password for aschuring from
172.22.21.58 port 50322 ssh2
Feb 28 14:48:41 gnome sshd[1816]: debug1: do_cleanup
Feb 28 14:48:41 gnome sshd[1816]: debug1: PAM: cleanup


As you can see, the Kerberos authentication works fine, but it appears
that the account phase subsequently rejects the login. But the account
does exist, and is known though LDAP:

root at gnome:/# id aschuring
uid=10000(aschuring) gid=10000(aschuring) groups=27(sudo),10000(aschuring)

Here is the relevant PAM configuration (unmodified Debian Squeeze):
==> /etc/pam.d/sshd <==
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth

account    required     pam_nologin.so
@include common-account

==> /etc/pam.d/common-account <==
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000

==> /etc/pam.d/common-auth <==
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 debug
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
try_first_pass debug
auth    requisite                       pam_deny.so debug
auth    required                        pam_permit.so debug


Thanks for any pointers you can give me,

Arno Schuring

More information about the Pam-list mailing list