Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have a public school I'm administering, and darned if some of those kids aren't extremely linux savy. Dont want them getting at the faculty data, so I want to get some better security than what is offered by normal NFSv3. As a result, I've been setting up NFSv4 with Kerberos.
The good news, I've set it up and it works fine. I have a Fedora 6 server and a Fedora 7 client, behavior is as expected. I can kinit, get my TGT, and access NFSv4 share nice as you please.
The bad news, I cant seem to get pam_krb5 to succeed in fetching a TGT during login. I've tried everything, many sleepless nights, even took a look at the source code which really put me in my place. :/ Not something I'm going to figure out on my own.
My pam system-auth is the default Fedora 7 that is setup by system-config-authentication; I've atached it at the bottom of this post. I turned on pam_krb5 debug to collect log information and this is what I see;
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: got result -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: authentication fails for 'bobh' (bobh@EXAMPLE.COM): Authentication failure (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: pam_authenticate returning 7 (Authentication failure)
However, if I first manually kinit from the account to get a TGT, I get a successful result in the logs as follows.
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: got result 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: authentication succeeds for 'bobh' (bobh@EXAMPLE.COM)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: pam_authenticate returning 0 (Success)
In the case when I dont kinit the account before doing the ssh, I see no credentials file created in the tmp directory by pam_krb5.
In the case where there is success, I see a credential file created in the tmp directory which is properly destroyed after logout.
Thank you very much for the response, I continue to fight this and must admit its quite maddening.
Unfortunately the link doesn't seem to help. I checked both my server and my client using klist -k to confirm the keytag is setup correctly. Each only has host and nfs for themselves, not for the other. I think this was the main point of the link you gave.
I still cant fathom why kinit works fine and yet pam_krb5 doesnt.
I've resolved the problem, flailing for a week as only as a newby could. The reason pam_krb5.so wasnt working was because the account I was using for testing had a valid NIS password.
The default authentication in /etc/pam.d/system-auth under Fedora 7 with Kerberos Auth enabled and NIS enabled is
and everything started working. This was just a quick check, I suspect the "correct" thing to do is to delete the NIS password so pam_unix.so fails, allowing fall-through to pam_krb5.so.
Hopefully, this will help someone else out there who's just getting started with kerberos and pam.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
