Date: Thu, 31 Oct 2002 09:29:37 -0500 From: Mark A Gebert <geeb@thugsrus.org> To: freebsd-questions@FreeBSD.ORG Cc: dpenev@mail.bg Subject: Re: Kerberos5 PAM Question Message-ID: <20021031142937.GD660@thugsrus.org> In-Reply-To: <20021030063816.GA244@earth.dpsca.bg> References: <20021029131011.GH316@thugsrus.org> <20021030063816.GA244@earth.dpsca.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Moving up the pam_krb5 in the sshd section helped to a point. The problem turned out to be having ChallengeResponseAuthentication set to yes in the sshd_config. It seems it got into calling the pam authentication module 2x thus confusing it and no ticket file was written. The way I figured this out was ssh from an older system with OpenSSH 2.9 installed (which doesn't have the ChallengeResponseAuthentication as a possible feature) and the ticket file was written fine. Thanks, --geeb At 08:38 +0200 30 October 2002, D. Penev <dpenev> wrote: > On Tue, Oct 29, 2002 at 08:10:11AM -0500, Mark A Gebert wrote: > >Date: Tue, 29 Oct 2002 08:10:11 -0500 > >From: Mark A Gebert <geeb@thugsrus.org> > >To: questions@FreeBSD.org > >Subject: Kerberos5 PAM Question > > > >Under FreeBSD4.7, I installed the pam_krb5 port (compiled with MIT > >Kerberos) > >and I'm trying to get it to generate a ticket file with sshd (with > >UsePrivilegeSeparation set to yes). I get authenticated fine into the > >system: > > > > > > > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: > >pam_sm_authenticate > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: allocating > >pam_krb5_state > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) dumping state > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: debug > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: use_first_pass > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: require_keytab > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) option: ccache=%u > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) state: user=`geeb' > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) state: service=`sshd' > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) initialize_method: success > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >resolve_principal: Success > >Oct 29 08:05:05 lart2 sshd[301]: (pam_krb5) pam_krb5_get_authtok: no > >pre-existing password > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >krb5_get_init_creds_password: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: > >pam_krb5_store_tgt: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_krb5_verify_tgt: Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_authenticate: result > >for user `geeb': Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) initialize_method: > >pam_sm_acct_mgmt > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) dumping state > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: debug > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: use_first_pass > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: require_keytab > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) option: ccache=%u > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: STATE_AUTH_COMPLETED > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: > >princ_name=`geeb@THUGSRUS.NET' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: user=`geeb' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: service=`sshd' > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: princ exists > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) state: ccache exists > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) initialize_method: success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) pam_sm_acct_mgmt: result for > >user `geeb': Success > >Oct 29 08:05:18 lart2 sshd[301]: (pam_krb5) cleanup_state > >Oct 29 08:05:18 lart2 sshd[299]: Accepted keyboard-interactive/pam for > >geeb from 66.93.1.55 port 2142 ssh2 > > > > > >But no ticket file: > > > > > >>klist > >klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_4465) > > > > > >Kerberos 4 ticket cache: /tmp/tkt4465 > >klist: You have no tickets cached > > > > > >The line in /etc/pam.conf is: > > > >sshd auth required pam_krb5.so > >use_first_pass ccache=%u require_keytab debug > > I had such kind of problems with pam_krb5 & login and I resolve them as > move pam_krb5 to be first in pam stack. > > > > >I've generated a host/lart2.thugsrus.net and a sshd/lart.thugsrus.net key > >but > >to no avail. > > > >Any help is appreciated. > > > >--geeb > > > >-- > >Mark Gebert geeb@thugsrus.org > >"It takes a Viking to raze a village!" > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > -- > Regards, > D. Penev -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021031142937.GD660>