--- Begin Message ---
Package: ssh-krb5
Version: 3.8.1p1-7
Severity: normal
Password login fails, if .k5login is present. If it .k5login is renamed,
it works again (I made sure that the file is world readable).
I would like certain users to access the account via .k5login, but have
a password login for myself also from non-kerberized hosts (laptop).
In the following examples I run [essigke@moe] 142 (~): ssh -vvv
sftadm@moe, but same is true for remote logins.
Sorry for the lengthy report, but I am not sure if it is a configuration
mistake or a bug...
Thanks in advance,
Timm
Without .k5login I can login by password (with or without kerberos ticket):
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
sftadm@moe's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
With valid kerberos ticket and .k5login I can login:
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: start over, passed a different list
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: preferred
gssapi-with-mic,gssapi,publickey,keyboard-interactive,passworddebug3:
authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
After kdestroy, login fails:
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: start over, passed a different list
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: preferred
gssapi-with-mic,gssapi,publickey,keyboard-interactive,passworddebug3:
authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Miscellaneous failure
No credentials cache found
debug1: Trying to start again
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi
debug1: Next authentication method: gssapi
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/essigke/.ssh/identity
debug3: no such identity: /home/essigke/.ssh/identity
debug1: Offering public key: /home/essigke/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug1: Offering public key: /home/essigke/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
sftadm@moe's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
Permission denied, please try again.
--/etc/ssh/sshd_config
...
PasswordAuthentication yes
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
...
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ssh-krb5 depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration
management sy
ii libc6 2.3.2.ds1-21 GNU C Library: Shared
libraries an
ii libcomerr2 1.37-2 common error description
library
ii libkrb53 1.3.6-2 MIT Kerberos runtime libraries
ii libpam-runtime 0.76-22 Runtime support for the PAM
librar
ii libpam0g 0.76-22 Pluggable Authentication
Modules l
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP
wrappers libra
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/privsep_ask: true
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
--- End Message ---