I have unmasked the sys-auth/pam_krb5-2.2.6.ebuild and changed its dependency to virtual/krb5 to test heimdal support. The module itself works (when you have a ticket of the target user login you do not have to provide the passphrase again) at least for ssh logins and su(1) (see bug #134068 and make sure your sshd_config has correct settings (bug #132243)). On the other hand if you do not have the ticket in your local cache file (I tried the attempt shown below as root) and you try to provide kerberos password of the remote user it doesn't get recognized as valid. This shouldn't happen because /etc/pam.d/system-auth contains: #%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so use_first_pass ignore_root debug auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so # ssh -l mmokrejs -v vrapenec OpenSSH_4.3p2, OpenSSL 0.9.7j 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to vrapenec [192.168.0.2] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'vrapenec' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:6 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Miscellaneous failure (see text) open(/tmp/krb5cc_0): No such file or directory debug1: Trying to start again debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,keyboard-interactive). # The following were logged: Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: configured realm 'DOMA' Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flags: forwardable proxiable Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no ignore_afs Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: user_check Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no krb4_convert Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: krb4_convert_524 Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: krb4_use_as_req Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no use_shmem Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: no external Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: flag: warn Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: ticket lifetime: 604800 Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: renewable lifetime: 0 Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: banner: Kerberos 5 Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: ccache dir: /tmp Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: keytab: FILE:/etc/krb5.keytab Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: called to authenticate 'mmokrejs', realm 'DOMA' Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: authenticating 'mmokrejs@DOMA' Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60) Jul 10 23:53:37 vrapenec sshd[17458]: pam_krb5[17458]: pam_authenticate returning 7 (Authentication failure) Similarly, even local login on one of the virtual terminals fails when I try to use kerberos password instead of my local password: Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: configured realm 'DOMA' Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flags: forwardable proxiable Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no ignore_afs Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: user_check Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no krb4_convert Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: krb4_convert_524 Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: krb4_use_as_req Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no use_shmem Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: no external Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: flag: warn Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: ticket lifetime: 604800 Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: renewable lifetime: 0 Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: banner: Kerberos 5 Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: ccache dir: /tmp Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: keytab: FILE:/etc/krb5.keytab Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: called to authenticate 'mmokrejs', realm 'DOMA' Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: authenticating 'mmokrejs@DOMA' Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60) Jul 11 00:00:13 vrapenec login[7987]: pam_krb5[7987]: pam_authenticate returning 7 (Authentication failure) Jul 11 00:00:16 vrapenec login(pam_unix)[7987]: authentication failure; logname= uid=0 euid=0 tty=tty2 ruser= rhost= user=mmokrejs Jul 11 00:00:19 vrapenec login[7987]: FAILED LOGIN (1) on 'tty2' FOR `mmokrejs', Authentication failure
Created attachment 91403 [details] pam_krb5-2.2.6-r1.ebuild This ebuild works on ~x86. The issue is I guess configuration problem and not problem with compilation process. checking for krb5-config... /usr/bin/krb5-config checking for krb4-config... : configure: WARNING: krb4 not found checking if pam_krb5 knows how to set AFS tokens on linux-gnu... yes checking for main in -lresolv... yes checking for KRB5_CFLAGS... -I/usr/include/heimdal checking for KRB5_LIBS... -L/usr/lib -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -lpthread checking sys/ioccom.h usability... no checking sys/ioccom.h presence... no checking for sys/ioccom.h... no checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking security/pam_appl.h usability... yes checking security/pam_appl.h presence... yes checking for security/pam_appl.h... yes checking security/pam_modules.h usability... yes checking security/pam_modules.h presence... yes checking for security/pam_modules.h... yes checking security/pam_misc.h usability... yes checking security/pam_misc.h presence... yes checking for security/pam_misc.h... yes checking for getpwnam_r... yes checking for __posix_getpwnam_r... no checking for crypt... no checking for crypt in -lcrypt... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking for krb_life_to_time... no checking for krb_time_to_life... no checking for krb5_init_secure_context... no checking for krb5_free_unparsed_name... no checking for krb5_free_default_realm... no checking for krb5_set_principal_realm... no checking for krb_in_tkt... no checking for in_tkt... no checking for krb_save_credentials... no checking for save_credentials... no checking whether error_message is declared... yes checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes checking et/com_err.h usability... yes checking et/com_err.h presence... yes checking for et/com_err.h... yes checking whether krb5_os_localaddr is declared... no checking whether krb5_os_hostaddr is declared... no checking whether krb5_copy_addr is declared... no checking whether krb5_get_all_client_addrs is declared... yes checking for krb5_const_realm... yes checking for krb5_creds.keyblock... no checking for krb5_creds.session... yes checking for krb5_keyblock.enctype... no checking for krb5_keyblock.keytype... yes checking for krb524_convert_creds_kdc... yes checking for krb5_524_convert_creds... no checking for krb524_convert_creds_kdc... (cached) yes checking for dlopen... no checking for dlopen in -ldl... yes checking for pam_get_item... no checking for pam_get_item in -lpam... yes checking for misc_conv... no checking for misc_conv in -lpam_misc... yes Using "EXAMPLE.COM" as the default realm Using "/tmp" to store ccache files Using "FILE:/etc/krb5.keytab" as the default keytab will link using "-Wl,-Bsymbolic" to reduce conflicts checking for location to install module and helpers... modules in /lib/security, helpers in /lib/security/pam_krb5 configure: creating ./config.status
I have not tested it with heimdal, but it should be a configuration problem given that it is not specific to a particular service; btw in bug #134307 a user reported to have it working with heimdal. Some considerations: - the ignore_root option does not exist - why do you enable use_first_pass ? It inhibits a password request, trying to use instead one used in a module that comes earlier in the pam stack, in this case none afaics. Try removing it and see if it helps. Another possibility is using the "no_initial_prompt" option, which uses v5_get_creds and krb5_kuserok to do the auth (thus using .k5login).
OK, the following setup works for me except the fact su asks first for kerberized password for root and the ignore_root option would be helpfull in this case while re-typing the password on the second prompt is treated as a local password so I can get in. However, this setup with heimdal-0.7.2-r2 works for user with TTY login, ssh login, xscreensaver-5.00. I had to remove the ~/.k5login which was only u+rw but still, in /var/log/messages I saw: Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: krb5_get_init_creds_password(krbtgt/DOMA@DOMA) returned 0 (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: got result 0 (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: account checks fail for 'mmokrejs@DOMA': user disallowed by .k5login file for 'mmokrejs' Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Permission denied (Success) Jul 12 12:18:03 vrapenec sshd[8432]: pam_krb5[8432]: pam_authenticate returning 6 (Permission denied) Maybe that was caused y the fact the file was user writable. Making it readable by everybody did not help and at least on kth-krb4 the .klogin file must not have been readable worldwide, so I don't think heimdal would allow that either. Anyway, my tested setup: # cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so debug auth sufficient pam_unix.so likeauth nullok try_first_pass auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_krb5.so auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so
Ok; I'll close this as INVALID then, since it was a configuration mistake.
For those curious when user unlocks X11 session through xscreensaver with kerberos password his/her kerberos ticket is renewed. Also AFS tokens are renewed but it seems xscreensaver looks for krbtgt/cellname@REALM and afs/cellname@REALM in addition to krbtgt/REALM@REALM and afs@REALM.
