Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)
Marcus Better <marcus@better.se> writes:
> Here it is:
> Nov 23 10:06:37 myhost sshd[18820]: (pam_krb5): none:
> pam_sm_authenticate: entry
> Nov 23 10:06:39 myhost sshd[18820]: (pam_krb5): marcus:
> pam_sm_authenticate: exit (success)
> Nov 23 10:06:39 myhost sshd[18818]: Accepted keyboard-interactive/pam
> for marcus from 192.168.1.2 port 39812 ssh2
> Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
> entry (0x2)
> Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
> exit (failure)
This is very strange to me. Clearly, saving the credentials is indeed not
working, and yet I have no trouble. Below I show starting from scratch
with a configuration and succeeding.
Is there something unusual in your configuration? Permissions on /tmp for
ticket caches? I'm not sure what else could cause this. Does it happen
with console login as well? There must be something different about your
system than mine.
Script started on Mon Nov 28 20:18:35 2005
wanderer:/root# aptitude install openssh-server libpam-krb5
[...]
The following NEW packages will be installed:
libpam-krb5 openssh-server
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/241kB of archives. After unpacking 561kB will be used.
Preconfiguring packages ...
Selecting previously deselected package libpam-krb5.
(Reading database ... 92312 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_1.2.0-1_i386.deb) ...
Selecting previously deselected package openssh-server.
Unpacking openssh-server (from .../openssh-server_1%3a4.2p1-5_i386.deb) ...
Setting up libpam-krb5 (1.2.0-1) ...
Setting up openssh-server (4.2p1-5) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.
wanderer:/root# cat >! /etc/pam.d/common-auth
auth sufficient pam_krb5.so ignore_root
auth required pam_unix.so try_first_pass nullok_secure
wanderer:/root# cat >! /etc/pam.d/common-session
session optional pam_krb5.so ignore_root
session required pam_unix.so
wanderer:/root# cat /etc/pam.d/ssh
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
wanderer:/root# ssh -l thoron localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 76:2a:82:88:77:17:d5:15:b0:8b:e7:1c:e4:ac:29:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
thoron@localhost's password:
Linux wanderer 2.6.14-2-686 #1 Mon Nov 14 14:19:05 UTC 2005 i686 GNU/Linux
Last login: Mon Nov 21 15:19:54 2005 from wanderer.stanford.edu
thoron@wanderer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_yMu5vb
Default principal: thoron@stanford.edu
Valid starting Expires Service principal
11/28/05 20:20:58 11/29/05 06:20:43 krbtgt/stanford.edu@stanford.edu
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
thoron@wanderer:~$ logout
Connection to localhost closed.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: