[rhelv6-list] New glibc and kerberos auth breakage?!

Pat Riehecky riehecky at fnal.gov
Thu Jul 19 21:28:18 UTC 2012


On 07/19/2012 03:54 PM, Pat Riehecky wrote:
> On 07/19/2012 03:36 PM, inode0 wrote:
>> So all of my RHEL6.3 boxes that use kerberos for authentication suffer
>> breakage after updating glibc. Downgrading glibc* restores them to
>> expected behavior. With the new glibc installed I have seen both
>> gssapi-with-mic and password auth fail on ssh connections. Lots of
>> spewage from pam about not being able to find users or resolve hosts.
>> pam_succeed_if for instance can no longer find users not local to the
>> machine.
>>
>> Has anyone else encountered anything like this with the recent update?
>>
>> Thanks,
>> John
>>
>> _______________________________________________
>> rhelv6-list mailing list
>> rhelv6-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
> I haven't but I've got kerberos auth over here.  Any chance for 
> replication steps?  I'd love some ssh logs!
>
> Pat
>
>

My test seems to be working fine:

$ ssh -v XXXXXXXXXXXXXXXXXXXXXXXXXXX
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to XXXXXXXXXXXXXXXXXXXXXXXXXXXx port 22.
debug1: Connection established.
debug1: identity file /home/riehecky/.ssh/identity type -1
debug1: identity file /home/riehecky/.ssh/id_rsa type -1
debug1: identity file /home/riehecky/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2
debug1: Offering GSSAPI proposal: 
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-92scGTGZyysGniM+s/4xLA==,gss-group1-sha1-92scGTGZyysGniM+s/4xLA==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Doing group exchange

debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: Authentication succeeded (gssapi-keyex).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.


In case this is helpful.......

-- 
Pat Riehecky
Scientific Linux Developer




More information about the rhelv6-list mailing list