Bug 347185

Summary:	sys-auth/pambase not authenticating with pam_krb5 after update to latest (sys-auth/pambase-20101024)
Product:	Gentoo Linux	Reporter:	Simon Alman <haven>
Component:	[OLD] Core system	Assignee:	Gentoo Linux bug wranglers <bug-wranglers>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Simon Alman 2010-11-29 15:05:12 UTC

After upgrading pambase all references to mod_krb5.so were removed from /etc/pam.d/system-auth

The original working config is given below:

auth            required        pam_env.so
auth            [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass
account         required        pam_unix.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass
session         required        pam_unix.so
session         optional        pam_permit.so


The updated broken config is given below:

auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         required        pam_unix.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so

Reproducible: Always

Steps to Reproduce:
1. Updated pambase as part of standard portage "emerge -uD world"
2. /etc/pam.d/system-auth over-written
3. Login via SSH no longer works for non-root accounts using kerberos (mod_krb5.so)

Actual Results:  
Login fails as mod_krb5.so is not being called in system-auth

Expected Results:  
Login should work.

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-11-29 16:38:45 UTC

The USE flag was renamed from kerberos to pam_krb5 (as too many people complained after enabling kerberos unconditionally). Please check what your emerge command is telling you to update, next upgrade.