From owner-freebsd-questions Thu Oct 31 6:29:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A76E537B401 for ; Thu, 31 Oct 2002 06:29:41 -0800 (PST) Received: from lart.thugsrus.net (dsl093-001-054.det1.dsl.speakeasy.net [66.93.1.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B76843E77 for ; Thu, 31 Oct 2002 06:29:40 -0800 (PST) (envelope-from geeb@slobberbunny.thugsrus.net) Received: from slobberbunny.thugsrus.net (dsl093-001-055.det1.dsl.speakeasy.net [66.93.1.55]) by lart.thugsrus.net (Postfix) with ESMTP id A531BF5F2; Thu, 31 Oct 2002 09:29:39 -0500 (EST) Received: (from geeb@localhost) by slobberbunny.thugsrus.net (8.12.6/8.12.6/Submit) id g9VETbcF003697; Thu, 31 Oct 2002 09:29:37 -0500 (EST) Date: Thu, 31 Oct 2002 09:29:37 -0500 From: Mark A Gebert To: freebsd-questions@FreeBSD.ORG Cc: dpenev@mail.bg Subject: Re: Kerberos5 PAM Question Message-ID: <20021031142937.GD660@thugsrus.org> References: <20021029131011.GH316@thugsrus.org> <20021030063816.GA244@earth.dpsca.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021030063816.GA244@earth.dpsca.bg> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Moving up the pam_krb5 in the sshd section helped to a point. The problem turned out to be having ChallengeResponseAuthentication set to yes in the sshd_config. It seems it got into calling the pam authentication module 2x thus confusing it and no ticket file was written. The way I figured this out was ssh from an older system with OpenSSH 2.9 installed (which doesn't have the ChallengeResponseAuthentication as a possible feature) and the ticket file was written fine. Thanks, --geeb At 08:38 +0200 30 October 2002, D. Penev wrote: > On Tue, Oct 29, 2002 at 08:10:11AM -0500, Mark A Gebert wrote: > >Date: Tue, 29 Oct 2002 08:10:11 -0500 > >From: Mark A Gebert > >To: questions@FreeBSD.org > >Subject: Kerberos5 PAM Question > > > >Under FreeBSD4.7, I installed the pam_krb5 port (compiled with MIT > >Kerberos) > >and I'm trying to get it to generate a ticket file with sshd (with > >UsePrivilegeSeparation set to yes). I get authenticated fine into the > >system: > > > > > > > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: > >pam_sm_authenticate > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: allocating > >pam_krb5_state > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) dumping state > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: debug > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: use_first_pass > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: require_keytab > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: ccache=%u > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) state: user=`geeb' > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) state: service=`sshd' > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: success > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >resolve_principal: Success > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) pam_krb5_get_authtok: no > >pre-existing password > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >krb5_get_init_creds_password: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >pam_krb5_store_tgt: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_krb5_verify_tgt: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: result > >for user `geeb': Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) initialize_method: > >pam_sm_acct_mgmt > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) dumping state > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: debug > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: use_first_pass > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: require_keytab > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: ccache=%u > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: STATE_AUTH_COMPLETED > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: > >princ_name=`geeb@THUGSRUS.NET' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: user=`geeb' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: service=`sshd' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: princ exists > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: ccache exists > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) initialize_method: success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_acct_mgmt: result for > >user `geeb': Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) cleanup_state > >Oct 29 08:05:18 lart2 sshd[299]: Accepted keyboard-interactive/pam for > >geeb from 66.93.1.55 port 2142 ssh2 > > > > > >But no ticket file: > > > > > >>klist > >klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_4465) > > > > > >Kerberos 4 ticket cache: /tmp/tkt4465 > >klist: You have no tickets cached > > > > > >The line in /etc/pam.conf is: > > > >sshd auth required pam_krb5.so > >use_first_pass ccache=%u require_keytab debug > > I had such kind of problems with pam_krb5 & login and I resolve them as > move pam_krb5 to be first in pam stack. > > > > >I've generated a host/lart2.thugsrus.net and a sshd/lart.thugsrus.net key > >but > >to no avail. > > > >Any help is appreciated. > > > >--geeb > > > >-- > >Mark Gebert geeb@thugsrus.org > >"It takes a Viking to raze a village!" > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > -- > Regards, > D. Penev -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message