After upgrading pam_krb-3.10 to pam_krb-3.12 or later, SSH drops a successful login immediately. It worked before the update. This doesn't affect password logins. This problem has manifested on all our Gentoo machines Reproducible: Always Steps to Reproduce: 1. working setup of kerberized net-misc/openssh-5.2_p1-r1 and pam_krb-3.10 2. pam_krb to 3.12 3. login through SSH with a kerberos ticket or public key Actual Results: user@host1 ~ $ ssh host2 Connection closed by 10.11.11.2 Remember, the setup works with pam_krb-3.10. As there is a GLSA regarding version 3.10 and earlier, it's wise to upgrade. Expected Results: Should have spawned a shell. I poked around in sshd_config and noticed UsePAM=yes. By changing it to "no", strangely all three login methods(password, kerberos ticket and pubkey) still work; password shouldn't work, because this is configured in PAM, nowhere else. But as expected, /etc/security/access.conf is ignored. So this is not a workaround in most cases. Also note that /var/log/messages didn't report anything unusual with regard to PAM and SSH.
(In reply to comment #0) all occurrences of pam_krb-3.10 should be sys-auth/pam_krb5-3.10, same for pam_krb-3.12.
In your pam config file, add "debug" parameter to the pam_krb5 entries, and re-enable pam for ssh. Then what pam messages do you see logged after the unsuccessful ssh attempts?
Reopen this bug when you provide the requested information.
Created attachment 200141 [details] successful testcase with pam_krb5-3.10 SSH works in combination with pam_krb5-3.10
Created attachment 200143 [details] successful testcase with pam_krb5-3.12 SSH doesn't work in combination with pam_krb5-3.12
(In reply to comment #2) > In your pam config file, add "debug" parameter to the pam_krb5 entries, and > re-enable pam for ssh. Then what pam messages do you see logged after the > unsuccessful ssh attempts? > As requested, I have attached two usecases (working and nonworking situations). ** sorry for replying this late. Returned from vacation not long ago :p
Experiencing the same issue here, also confirmed that machines still equiped with pam_krb5-3.10 work and machines with pam_krb5-3.12 do not work! Pretty annoying bug since our systems rely on ldap domain auth (which works if you leave pam on) but also several people use keys (which only works when pam is Off!) So either you can log in with a pubkey or either with a domain password
Can you check with pam_krb5-4.2 please? Thanks.
Please reopen if it's still a problem with 4.2