Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication

9 views
Skip to first unread message

Steve Glasser

unread,
Nov 12, 2009, 11:27:06 AM11/12/09
to wa...@jayhawks.net, Kerb...@mit.edu
Hi all,

We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We
have found that if we set
ChallengeResponseAuthentication yes
in sshd_conf the result is no TGT ticket is created when a user logs
in by ssh. This problem is detailed in a Debian bug report here; we
don't see it having ever been fixed in redhat
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
Setting
PasswordAuthentication yes
does work, at least in our environment.

If anyone has any further information on this we'd appreciate it.

Cheers,
Steve

On Wed, Nov 11, 2009 at 11:28 PM, Jeffrey Watts
<jeffrey...@gmail.com> wrote:
> On Wed, Nov 11, 2009 at 9:46 AM, Javier Palacios <jav...@gmail.com> wrote:
>
< snip >
>
> One quick thing you must look at first, however, is your sshd_config. �The
> stock F11 sshd setup is not compatible with pam_krb5. �The following two
> options must be set:
> ChallengeResponseAuthentication yes
> UsePAM yes
>
> The latter is set by default, but the former is not. �If
> ChallengeResponseAuthentication is disabled, sshd will not use PAM for
> authentication, which means pam_krb5 will never get invoked to handle the
> auth. �You should also enable the two GSSAPI options so that sshd will take
> tickets.
>
< snip >
> Good luck,
> Jeffrey.
> ________________________________________________
> Kerberos mailing list � � � � � Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--
Steve Glasser
sgla...@gmail.com

Jeffrey Watts

unread,
Nov 13, 2009, 11:33:23 AM11/13/09
to Steve Glasser, kerb...@mit.edu
That's really weird, I'm using that option and the ticket is created on
login. When I'm back in town I'll look closer.

Keep in mind, though, that I'm using current versions of PAM, pam_krb5 and
Kerberos with my RHEL5 systems, so it's possible that it's a bug fixed later
on.

Jeffrey.

On Thu, Nov 12, 2009 at 10:27 AM, Steve Glasser <sgla...@gmail.com> wrote:

> Hi all,
>
> We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We
> have found that if we set
> ChallengeResponseAuthentication yes
> in sshd_conf the result is no TGT ticket is created when a user logs
> in by ssh. This problem is detailed in a Debian bug report here; we
> don't see it having ever been fixed in redhat
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
> Setting
> PasswordAuthentication yes
> does work, at least in our environment.
>
> If anyone has any further information on this we'd appreciate it.
>
>

--

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine

Russ Allbery

unread,
Nov 13, 2009, 2:35:44 PM11/13/09
to Steve Glasser, kerb...@mit.edu
Steve Glasser <sgla...@gmail.com> writes:

> We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We
> have found that if we set
> ChallengeResponseAuthentication yes
> in sshd_conf the result is no TGT ticket is created when a user logs
> in by ssh. This problem is detailed in a Debian bug report here; we
> don't see it having ever been fixed in redhat
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734
> Setting
> PasswordAuthentication yes
> does work, at least in our environment.

Red Hat and Debian use completely different code bases for pam-krb5. That
particular bug (ssh running PAM in odd contexts and discarding PAM data)
is something that I thought Red Hat's PAM module had its own workaround
for using shared memory or some such thing, but since I don't use it, I'm
not sure.

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>

0 new messages