Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I have a public school I'm administering, and darned if some of those kids aren't extremely linux savy. Dont want them getting at the faculty data, so I want to get some better security than what is offered by normal NFSv3. As a result, I've been setting up NFSv4 with Kerberos.
The good news, I've set it up and it works fine. I have a Fedora 6 server and a Fedora 7 client, behavior is as expected. I can kinit, get my TGT, and access NFSv4 share nice as you please.
The bad news, I cant seem to get pam_krb5 to succeed in fetching a TGT during login. I've tried everything, many sleepless nights, even took a look at the source code which really put me in my place. :/ Not something I'm going to figure out on my own.
My pam system-auth is the default Fedora 7 that is setup by system-config-authentication; I've atached it at the bottom of this post. I turned on pam_krb5 debug to collect log information and this is what I see;
Jan 16 16:55:07 raichu sshd: pam_krb5: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd: pam_krb5: got result -1765328353 (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd: pam_krb5: authentication fails for 'bobh' (bobh@EXAMPLE.COM): Authentication failure (Decrypt integrity check failed)
Jan 16 16:55:07 raichu sshd: pam_krb5: pam_authenticate returning 7 (Authentication failure)
However, if I first manually kinit from the account to get a TGT, I get a successful result in the logs as follows.
Jan 16 17:02:44 raichu sshd: pam_krb5: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Jan 16 17:02:44 raichu sshd: pam_krb5: got result 0 (Success)
Jan 16 17:02:44 raichu sshd: pam_krb5: authentication succeeds for 'bobh' (bobh@EXAMPLE.COM)
Jan 16 17:02:44 raichu sshd: pam_krb5: pam_authenticate returning 0 (Success)
In the case when I dont kinit the account before doing the ssh, I see no credentials file created in the tmp directory by pam_krb5.
In the case where there is success, I see a credential file created in the tmp directory which is properly destroyed after logout.
Thank you very much for the response, I continue to fight this and must admit its quite maddening.
Unfortunately the link doesn't seem to help. I checked both my server and my client using klist -k to confirm the keytag is setup correctly. Each only has host and nfs for themselves, not for the other. I think this was the main point of the link you gave.
I still cant fathom why kinit works fine and yet pam_krb5 doesnt.