139929 – sys-auth/pam_krb5-2.2.6-r1: kerberos password is not accepted

Bug 139929 - sys-auth/pam_krb5-2.2.6-r1: kerberos password is not accepted

Summary: sys-auth/pam_krb5-2.2.6-r1: kerberos password is not accepted

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	PAM Gentoo Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-10 15:05 UTC by Martin Mokrejš
Modified:	2006-07-15 06:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
pam_krb5-2.2.6-r1.ebuild (pam_krb5-2.2.6-r1.ebuild,789 bytes, text/plain) 2006-07-10 15:07 UTC, Martin Mokrejš	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Mokrejš 2006-07-10 15:05:09 UTC

I have unmasked the sys-auth/pam_krb5-2.2.6.ebuild and changed its dependency to virtual/krb5 to test heimdal support.

The module itself works (when you have a ticket of the target user login you do not have to provide the passphrase again) at least for ssh logins and su(1) (see bug #134068 and make sure your sshd_config has correct settings (bug #132243)).

On the other hand if you do not have the ticket in your local cache file (I tried the attempt shown below as root) and you try to provide kerberos password of the remote user it doesn't get recognized as valid. This shouldn't happen because 

/etc/pam.d/system-auth contains:
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_krb5.so use_first_pass ignore_root debug
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so


# ssh -l mmokrejs -v vrapenec
OpenSSH_4.3p2, OpenSSL 0.9.7j 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to vrapenec [192.168.0.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'vrapenec' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1:  Miscellaneous failure (see text)
open(/tmp/krb5cc_0): No such file or directory

debug1: Trying to start again
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
#

The following were logged:

Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: configured realm 'DOMA'
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flags: forwardable proxiable
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no ignore_afs
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: user_check
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no krb4_convert
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: krb4_convert_524
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: krb4_use_as_req
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no use_shmem
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no external
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: warn
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: ticket lifetime: 604800
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: renewable lifetime: 0
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: banner: Kerberos 5
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: ccache dir: /tmp
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: keytab: FILE:/etc/krb5.keytab
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: called to authenticate 'mmokrejs', realm 'DOMA'
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: authenticating 'mmokrejs@DOMA'
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60)
Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: pam_authenticate returning 7 (Authentication failure)



Similarly, even local login on one of the virtual terminals fails when I try to use kerberos password instead of my local password:

Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: configured realm 'DOMA'
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flags: forwardable proxiable
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no ignore_afs
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: user_check
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no krb4_convert
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: krb4_convert_524
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: krb4_use_as_req
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no use_shmem
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no external
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: warn
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: ticket lifetime: 604800
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: renewable lifetime: 0
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: banner: Kerberos 5
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: ccache dir: /tmp
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: keytab: FILE:/etc/krb5.keytab
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: called to authenticate 'mmokrejs', realm 'DOMA'
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: authenticating 'mmokrejs@DOMA'
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60)
Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: pam_authenticate returning 7 (Authentication failure)
Jul 11 00:00:16 vrapenec login(pam_unix)[7987]: authentication failure; logname= uid=0 euid=0 tty=tty2 ruser= rhost=  user=mmokrejs
Jul 11 00:00:19 vrapenec login[7987]: FAILED LOGIN (1) on 'tty2' FOR `mmokrejs', Authentication failure

Comment 1 Martin Mokrejš 2006-07-10 15:07:56 UTC

Created attachment 91403 [details]
pam_krb5-2.2.6-r1.ebuild

This ebuild works on ~x86. The issue is I guess configuration problem and not problem with compilation process. 

checking for krb5-config... /usr/bin/krb5-config
checking for krb4-config... :
configure: WARNING: krb4 not found
checking if pam_krb5 knows how to set AFS tokens on linux-gnu... yes
checking for main in -lresolv... yes
checking for KRB5_CFLAGS... -I/usr/include/heimdal 
checking for KRB5_LIBS... -L/usr/lib -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -lpthread
checking sys/ioccom.h usability... no
checking sys/ioccom.h presence... no
checking for sys/ioccom.h... no
checking for inttypes.h... (cached) yes
checking for stdint.h... (cached) yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_modules.h usability... yes
checking security/pam_modules.h presence... yes
checking for security/pam_modules.h... yes
checking security/pam_misc.h usability... yes
checking security/pam_misc.h presence... yes
checking for security/pam_misc.h... yes
checking for getpwnam_r... yes
checking for __posix_getpwnam_r... no
checking for crypt... no
checking for crypt in -lcrypt... yes
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking for krb_life_to_time... no
checking for krb_time_to_life... no
checking for krb5_init_secure_context... no
checking for krb5_free_unparsed_name... no
checking for krb5_free_default_realm... no
checking for krb5_set_principal_realm... no
checking for krb_in_tkt... no
checking for in_tkt... no
checking for krb_save_credentials... no
checking for save_credentials... no
checking whether error_message is declared... yes
checking com_err.h usability... yes
checking com_err.h presence... yes
checking for com_err.h... yes
checking et/com_err.h usability... yes
checking et/com_err.h presence... yes
checking for et/com_err.h... yes
checking whether krb5_os_localaddr is declared... no
checking whether krb5_os_hostaddr is declared... no
checking whether krb5_copy_addr is declared... no
checking whether krb5_get_all_client_addrs is declared... yes
checking for krb5_const_realm... yes
checking for krb5_creds.keyblock... no
checking for krb5_creds.session... yes
checking for krb5_keyblock.enctype... no
checking for krb5_keyblock.keytype... yes
checking for krb524_convert_creds_kdc... yes
checking for krb5_524_convert_creds... no
checking for krb524_convert_creds_kdc... (cached) yes
checking for dlopen... no
checking for dlopen in -ldl... yes
checking for pam_get_item... no
checking for pam_get_item in -lpam... yes
checking for misc_conv... no
checking for misc_conv in -lpam_misc... yes
Using "EXAMPLE.COM" as the default realm
Using "/tmp" to store ccache files
Using "FILE:/etc/krb5.keytab" as the default keytab
will link using "-Wl,-Bsymbolic" to reduce conflicts
checking for location to install module and helpers... modules in /lib/security, helpers in /lib/security/pam_krb5
configure: creating ./config.status

Comment 2 Emanuele Giaquinta (RETIRED) gentoo-dev

2006-07-11 15:57:46 UTC

I have not tested it with heimdal, but it should be a configuration problem given that it is not specific to a particular service; btw in bug #134307 a user reported to have it working with heimdal. Some considerations:

- the ignore_root option does not exist

- why do you enable use_first_pass ? It inhibits a password request, trying to use instead one used in a module that comes earlier in the pam stack, in this case none afaics. Try removing it and see if it helps. Another possibility is using the "no_initial_prompt" option, which uses v5_get_creds and krb5_kuserok to do the auth (thus using .k5login).

Comment 3 Martin Mokrejš 2006-07-12 03:48:04 UTC

OK, the following setup works for me except the fact su asks first for kerberized password for root and the ignore_root option would be helpfull in this case while re-typing the password on the second prompt is treated as a local password so I can get in.



However, this setup with heimdal-0.7.2-r2 works for user with TTY login, ssh login, xscreensaver-5.00. I had to remove the ~/.k5login which was only u+rw but still, in /var/log/messages I saw:

Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: krb5_get_init_creds_password(krbtgt/DOMA@DOMA) returned 0 (Success)
Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: got result 0 (Success)
Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: account checks fail for 'mmokrejs@DOMA': user disallowed by .k5login file for 'mmokrejs'
Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Permission denied (Success)
Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: pam_authenticate returning 6 (Permission denied)


Maybe that was caused y the fact the file was user writable. Making it readable by everybody did not help and at least on kth-krb4 the .klogin file must not have been readable worldwide, so I don't think heimdal would allow that either.





Anyway, my tested setup:

# cat /etc/pam.d/system-auth 
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_krb5.so debug
auth       sufficient   pam_unix.so likeauth nullok try_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

# cat /etc/pam.d/su
#%PAM-1.0

auth    sufficient      pam_rootok.so
auth    sufficient      pam_krb5.so
auth       required     pam_wheel.so use_uid

auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth
session    required             pam_env.so
session    optional             pam_xauth.so

Comment 4 Emanuele Giaquinta (RETIRED) gentoo-dev

2006-07-12 12:42:36 UTC

Ok; I'll close this as INVALID then, since it was a configuration mistake.

Comment 5 Martin Mokrejš 2006-07-15 06:59:32 UTC

For those curious when user unlocks X11 session through xscreensaver with kerberos password his/her kerberos ticket is renewed.

Also AFS tokens are renewed but it seems xscreensaver looks for krbtgt/cellname@REALM and afs/cellname@REALM in addition to krbtgt/REALM@REALM and afs@REALM.