Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 275280

Summary: >=sys-auth/pam_krb5-3.12: SSH doesn't spawn a shell when using key exchange or kerberos
Product: Gentoo Linux Reporter: Xiwen Cheng <x>
Component: [OLD] Core systemAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status: RESOLVED TEST-REQUEST    
Severity: normal CC: kerberos
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: successful testcase with pam_krb5-3.10
successful testcase with pam_krb5-3.12

Description Xiwen Cheng 2009-06-24 12:12:53 UTC 
After upgrading pam_krb-3.10 to pam_krb-3.12 or later, SSH drops a successful login immediately. It worked before the update. This doesn't affect password logins. This problem has manifested on all our Gentoo machines

Reproducible: Always

Steps to Reproduce:
1. working setup of kerberized net-misc/openssh-5.2_p1-r1 and pam_krb-3.10
2. pam_krb to 3.12
3. login through SSH with a kerberos ticket or public key

Actual Results:  
user@host1 ~ $ ssh host2
Connection closed by 10.11.11.2

Remember, the setup works with pam_krb-3.10. As there is a GLSA regarding version 3.10 and earlier, it's wise to upgrade. 

Expected Results:  
Should have spawned a shell.

I poked around in sshd_config and noticed UsePAM=yes. By changing it to "no", strangely all three login methods(password, kerberos ticket and pubkey) still work; password shouldn't work, because this is configured in PAM, nowhere else. But as expected, /etc/security/access.conf is ignored. So this is not a workaround in most cases. 

Also note that /var/log/messages didn't report anything unusual with regard to PAM and SSH.
Comment 1 Xiwen Cheng 2009-06-24 12:22:58 UTC 
(In reply to comment #0)

all occurrences of pam_krb-3.10 should be sys-auth/pam_krb5-3.10, same for pam_krb-3.12.
Comment 2 Wormo (RETIRED) gentoo-dev 2009-06-27 22:27:29 UTC 
In your pam config file, add "debug" parameter to the pam_krb5 entries, and re-enable pam for ssh. Then what pam messages do you see logged after the unsuccessful ssh attempts?
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-07-04 13:00:32 UTC 
Reopen this bug when you provide the requested information.
Comment 4 Xiwen Cheng 2009-08-04 11:42:56 UTC 
Created attachment 200141 [details]
successful testcase with pam_krb5-3.10

SSH works in combination with pam_krb5-3.10
Comment 5 Xiwen Cheng 2009-08-04 11:43:49 UTC 
Created attachment 200143 [details]
successful testcase with pam_krb5-3.12

SSH doesn't work in combination with pam_krb5-3.12
Comment 6 Xiwen Cheng 2009-08-04 11:47:46 UTC 
(In reply to comment #2)
> In your pam config file, add "debug" parameter to the pam_krb5 entries, and
> re-enable pam for ssh. Then what pam messages do you see logged after the
> unsuccessful ssh attempts?
> 
As requested, I have attached two usecases (working and nonworking situations). 

** sorry for replying this late. Returned from vacation not long ago :p
Comment 7 George 2009-09-04 09:28:29 UTC 
Experiencing the same issue here, also confirmed that machines still equiped with pam_krb5-3.10 work and machines with pam_krb5-3.12 do not work!
Pretty annoying bug since our systems rely on ldap domain auth (which works if you leave pam on) but also several people use keys (which only works when pam is Off!)
So either you can log in with a pubkey or either with a domain password
Comment 8 Eray Aslan gentoo-dev 2010-05-21 20:13:17 UTC 
Can you check with pam_krb5-4.2 please?  Thanks.
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-07-23 14:23:55 UTC 
Please reopen if it's still a problem with 4.2