LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2008, 03:15 PM   #1
Bobism
LQ Newbie
 
Registered: Jan 2008
Posts: 5

Rep: Reputation: 0
kerberos kinit gets TGT, pam_krb5 wont get TGT


Hi All,

I have a public school I'm administering, and darned if some of those kids aren't extremely linux savy. Dont want them getting at the faculty data, so I want to get some better security than what is offered by normal NFSv3. As a result, I've been setting up NFSv4 with Kerberos.

The good news, I've set it up and it works fine. I have a Fedora 6 server and a Fedora 7 client, behavior is as expected. I can kinit, get my TGT, and access NFSv4 share nice as you please.

The bad news, I cant seem to get pam_krb5 to succeed in fetching a TGT during login. I've tried everything, many sleepless nights, even took a look at the source code which really put me in my place. :/ Not something I'm going to figure out on my own.

My pam system-auth is the default Fedora 7 that is setup by system-config-authentication; I've atached it at the bottom of this post. I turned on pam_krb5 debug to collect log information and this is what I see;

Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: got result -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: authentication fails for 'bobh' (bobh@EXAMPLE.COM): Authentication failure (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd[24367]: pam_krb5[24367]: pam_authenticate returning 7 (Authentication failure)

However, if I first manually kinit from the account to get a TGT, I get a successful result in the logs as follows.

Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: got result 0 (Success)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: authentication succeeds for 'bobh' (bobh@EXAMPLE.COM)
Jan 16 17:02:44 raichu sshd[24575]: pam_krb5[24575]: pam_authenticate returning 0 (Success)

In the case when I dont kinit the account before doing the ssh, I see no credentials file created in the tmp directory by pam_krb5.
In the case where there is success, I see a credential file created in the tmp directory which is properly destroyed after logout.

Anyone able to help me?

Thanks in advance,
Bob





- system-auth
---------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
 
Old 01-19-2008, 08:29 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Does FAQ entry Subject: 4.2. "Decrypt integrity check failed" help to get your TS going?
 
Old 01-21-2008, 02:35 PM   #3
Bobism
LQ Newbie
 
Registered: Jan 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Thank you very much for the response, I continue to fight this and must admit its quite maddening.

Unfortunately the link doesn't seem to help. I checked both my server and my client using klist -k to confirm the keytag is setup correctly. Each only has host and nfs for themselves, not for the other. I think this was the main point of the link you gave.

I still cant fathom why kinit works fine and yet pam_krb5 doesnt.
 
Old 01-21-2008, 05:47 PM   #4
Bobism
LQ Newbie
 
Registered: Jan 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Conclusion (finally!)

I've resolved the problem, flailing for a week as only as a newby could. The reason pam_krb5.so wasnt working was because the account I was using for testing had a valid NIS password.

The default authentication in /etc/pam.d/system-auth under Fedora 7 with Kerberos Auth enabled and NIS enabled is

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

so since NIS/pam_unix.so satisfied the authentication, pam_krb5.so was never called and I never got my TGT.

What I did temporarily was change the order;

auth required pam_env.so
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

and everything started working. This was just a quick check, I suspect the "correct" thing to do is to delete the NIS password so pam_unix.so fails, allowing fall-through to pam_krb5.so.

Hopefully, this will help someone else out there who's just getting started with kerberos and pam.

Regards!
 
  


Reply

Tags
kerberos, nfsv4, pamkrb5


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos kinit "reply did not match expectations" joadoor Linux - Networking 16 04-11-2013 12:09 PM
pam_krb5 won't retrieve a kerberos ticket Thakowbbery Conectiva 1 01-10-2007 05:20 AM
OpenSSH, Krb5, AD, and TGT Forwarding PenguinPwrdBox Linux - Enterprise 2 04-21-2005 08:45 PM
OpenSSH, Krb5, AD, and TGT Forwarding PenguinPwrdBox Linux - Security 1 04-21-2005 06:13 PM
kinit missing from kerberos 5 installation aschmidt Linux - Newbie 1 06-17-2004 10:48 AM


All times are GMT -5. The time now is 01:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration