Debian Bug report logs - #339734
libpam-krb5: ChallengeResponse with openssh-server fails

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: marcus@better.se

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Fri, 18 Nov 2005 12:49:40 +0100

Package: openssh-server
Version: 1:4.2p1-5
Severity: normal

I use OpenSSH with PAM authentication (UsePAM yes) and the pam_krb5
module. When I log in with SSH, the server correctly checks the
password agains Kerberos, but the ticket is not saved, so I have to do
"kinit" and authenticate again.

README.Debian mentions that Kerberos ticket saving does not work with
privilege separation. But I have "UsePrivilegeSeparation no" in
sshd_config, and it still doesn't work.

I seem to remember that turning off privilege separation used to work
with OpenSSH 3.x, but apparently this is no longer the case.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-kelev
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)

Versions of packages openssh-server depends on:
ii  adduser                      3.77        Add and remove users and groups
ii  debconf [debconf-2.0]        1.4.58      Debian configuration management sy
ii  dpkg                         1.13.11.0.1 package maintenance system for Deb
ii  libc6                        2.3.5-6     GNU C Library: Shared libraries an
ii  libcomerr2                   1.38-2      common error description library
ii  libkrb53                     1.3.6-5     MIT Kerberos runtime libraries
ii  libpam-modules               0.79-3      Pluggable Authentication Modules f
ii  libpam-runtime               0.79-3      Runtime support for the PAM librar
ii  libpam0g                     0.79-3      Pluggable Authentication Modules l
ii  libselinux1                  1.26-1      SELinux shared libraries
ii  libssl0.9.8                  0.9.8a-3    SSL shared libraries
ii  libwrap0                     7.6.dbs-8   Wietse Venema's TCP wrappers libra
ii  openssh-client               1:4.2p1-5   Secure shell client, an rlogin/rsh
ii  zlib1g                       1:1.2.3-4   compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/disable_cr_auth: false

Message #10 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: marcus@better.se

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Fri, 18 Nov 2005 11:39:54 -0800

marcus <marcus@better.se> writes:

> Package: openssh-server
> Version: 1:4.2p1-5
> Severity: normal

> I use OpenSSH with PAM authentication (UsePAM yes) and the pam_krb5
> module. When I log in with SSH, the server correctly checks the
> password agains Kerberos, but the ticket is not saved, so I have to do
> "kinit" and authenticate again.

> README.Debian mentions that Kerberos ticket saving does not work with
> privilege separation. But I have "UsePrivilegeSeparation no" in
> sshd_config, and it still doesn't work.

> I seem to remember that turning off privilege separation used to work
> with OpenSSH 3.x, but apparently this is no longer the case.

I think this is actually a bug in libpam-krb5, not in openssh.  I'm about
to upload a new libpam-krb5 package that works for me (with PAM and with
privilege separation).  Give that a try when it gets into the archive and
see if it works for you.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #15 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 339734@bugs.debian.org, marcus@better.se

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Fri, 18 Nov 2005 16:54:37 -0800

Russ Allbery <rra@debian.org> writes:

> I think this is actually a bug in libpam-krb5, not in openssh.  I'm
> about to upload a new libpam-krb5 package that works for me (with PAM
> and with privilege separation).  Give that a try when it gets into the
> archive and see if it works for you.

libpam-krb5 1.2.0-1 has been uploaded.  Let me know if that fixes the
problem for you when you get a chance to try it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #20 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Marcus Better <marcus@better.se>

To: Russ Allbery <rra@debian.org>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Mon, 21 Nov 2005 13:23:06 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> libpam-krb5 1.2.0-1 has been uploaded.  Let me know if that fixes the
> problem for you when you get a chance to try it.

No, I still don't get it does not fix it. I have tried both with and
without privilege separation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgbwqXjXn6TzcAQkRAoU4AKCnOMMtPMa/TF9M1FiQ54OBdZ65BgCgja8N
ti6pNtlk3079RVye6TNwv0c=
=hebY
-----END PGP SIGNATURE-----

Message #25 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Marcus Better <marcus@better.se>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Mon, 21 Nov 2005 09:05:05 -0800

Marcus Better <marcus@better.se> writes:

>> libpam-krb5 1.2.0-1 has been uploaded.  Let me know if that fixes the
>> problem for you when you get a chance to try it.

> No, I still don't get it does not fix it. I have tried both with and
> without privilege separation.

Could you send the contents of your /etc/pam.d/common-auth and
/etc/pam.d/common-session files?  (Or your /etc/pam.d/ssh file if you
aren't configuring libpam-krb5 in the common-* files.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #30 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Marcus Better <marcus@better.se>

To: Russ Allbery <rra@debian.org>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Tue, 22 Nov 2005 09:55:36 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Could you send the contents of your /etc/pam.d/common-auth and
> /etc/pam.d/common-session files?

/etc/pam.d/common-auth:
- ------------
auth  sufficient  pam_krb5.so ignore_root
auth  required    pam_unix.so try_first_pass nullok_secure
- ------------

/etc/pam.d/common-session:
- ------------
session  optional  pam_krb5.so ignore_root
session  required  pam_unix.so
- ------------

/etc/pam.d/ssh:
- ------------
auth       required     pam_env.so # [1]
@include common-auth

@include common-account

@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

@include common-password
- ------------

Marcus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgt0HXjXn6TzcAQkRAubmAJ44m+5t8hF0P+XY+aykBtmc0IgaRACfblxr
YMrBExYSWVhoX+uTfNORWiQ=
=akf8
-----END PGP SIGNATURE-----

Message #35 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Marcus Better <marcus@better.se>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Tue, 22 Nov 2005 11:26:49 -0800

Marcus Better <marcus@better.se> writes:

> /etc/pam.d/common-auth:
> ------------
> auth  sufficient  pam_krb5.so ignore_root
> auth  required    pam_unix.so try_first_pass nullok_secure
> ------------

> /etc/pam.d/common-session:
> ------------
> session  optional  pam_krb5.so ignore_root
> session  required  pam_unix.so
> ------------

Hm.  That looks okay.  Could you add "debug" to the end of the two
pam_krb5.so lines and then send me the resulting log output from syslog of
a successful login that doesn't save the ticket cache?

Thanks!

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #40 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Marcus Better <marcus@better.se>

To: Russ Allbery <rra@debian.org>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Wed, 23 Nov 2005 10:10:59 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russ Allbery wrote:

> Hm.  That looks okay.  Could you add "debug" to the end of the two
> pam_krb5.so lines and then send me the resulting log output from syslog

Here it is:

Nov 23 10:06:37 myhost sshd[18820]: (pam_krb5): none:
pam_sm_authenticate: entry
Nov 23 10:06:39 myhost sshd[18820]: (pam_krb5): marcus:
pam_sm_authenticate: exit (success)
Nov 23 10:06:39 myhost sshd[18818]: Accepted keyboard-interactive/pam
for marcus from 192.168.1.2 port 39812 ssh2
Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Nov 23 10:06:39 myhost sshd[18821]: (pam_unix) session opened for user
marcus by (uid=0)
Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
entry (0x8)
Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
exit (failure)

<now logging out...>

Nov 23 10:06:42 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
entry (0x4)
Nov 23 10:06:42 myhost sshd[18821]: (pam_unix) session closed for user
marcus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDhDIjXjXn6TzcAQkRAgXzAKD4iXHp1666tCpemhs/twCMOjcyKwCg8nvS
1O5ZWpZYBssJIAXrBi7ulkI=
=2fDP
-----END PGP SIGNATURE-----

Message #45 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Marcus Better <marcus@better.se>

Cc: Russ Allbery <rra@debian.org>, 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Mon, 28 Nov 2005 20:26:44 -0800

Marcus Better <marcus@better.se> writes:

> Here it is:

> Nov 23 10:06:37 myhost sshd[18820]: (pam_krb5): none:
> pam_sm_authenticate: entry
> Nov 23 10:06:39 myhost sshd[18820]: (pam_krb5): marcus:
> pam_sm_authenticate: exit (success)
> Nov 23 10:06:39 myhost sshd[18818]: Accepted keyboard-interactive/pam
> for marcus from 192.168.1.2 port 39812 ssh2
> Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
> entry (0x2)
> Nov 23 10:06:39 myhost sshd[18821]: (pam_krb5): none: pam_sm_setcred:
> exit (failure)

This is very strange to me.  Clearly, saving the credentials is indeed not
working, and yet I have no trouble.  Below I show starting from scratch
with a configuration and succeeding.

Is there something unusual in your configuration?  Permissions on /tmp for
ticket caches?  I'm not sure what else could cause this.  Does it happen
with console login as well?  There must be something different about your
system than mine.

Script started on Mon Nov 28 20:18:35 2005
wanderer:/root# aptitude install openssh-server libpam-krb5
[...]
The following NEW packages will be installed:
  libpam-krb5 openssh-server 
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/241kB of archives. After unpacking 561kB will be used.
Preconfiguring packages ...
Selecting previously deselected package libpam-krb5.
(Reading database ... 92312 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_1.2.0-1_i386.deb) ...
Selecting previously deselected package openssh-server.
Unpacking openssh-server (from .../openssh-server_1%3a4.2p1-5_i386.deb) ...
Setting up libpam-krb5 (1.2.0-1) ...
Setting up openssh-server (4.2p1-5) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

wanderer:/root# cat >! /etc/pam.d/common-auth
auth  sufficient  pam_krb5.so ignore_root
auth  required    pam_unix.so try_first_pass nullok_secure
wanderer:/root# cat >! /etc/pam.d/common-session
session  optional  pam_krb5.so ignore_root
session  required  pam_unix.so
wanderer:/root# cat /etc/pam.d/ssh
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]

# Standard Un*x authentication.
@include common-auth

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
wanderer:/root# ssh -l thoron localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 76:2a:82:88:77:17:d5:15:b0:8b:e7:1c:e4:ac:29:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
thoron@localhost's password: 
Linux wanderer 2.6.14-2-686 #1 Mon Nov 14 14:19:05 UTC 2005 i686 GNU/Linux
Last login: Mon Nov 21 15:19:54 2005 from wanderer.stanford.edu
thoron@wanderer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_yMu5vb
Default principal: thoron@stanford.edu

Valid starting     Expires            Service principal
11/28/05 20:20:58  11/29/05 06:20:43  krbtgt/stanford.edu@stanford.edu


Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
thoron@wanderer:~$ logout
Connection to localhost closed.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #50 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Marcus Better <marcus@better.se>

To: Russ Allbery <rra@debian.org>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Tue, 29 Nov 2005 09:30:54 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Is there something unusual in your configuration?

I don't think so.

I use Heimdal, perhaps that's a difference? And I have the user accounts
in LDAP (but the passwords managed by Kerberos, outside of LDAP).

> Permissions on /tmp for ticket caches?

# l -d /tmp
drwxrwxrwt  9 root root 560 2005-11-29 09:02 /tmp

I can get tickets with kinit... Also, I'm certain that it did work with
the old ssh package (3.8.something) once privilege separation was turned
off. Perhaps I should downgrade.

> Does it happen with console login as well?

I don't know, it's a remote machine.

> thoron@localhost's password: 

Why does it say that? I get only "Password:". I have the same version of
 libpam-krb5 and openssh-server.

Marcus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDjBG+XjXn6TzcAQkRAjX6AJ0bseaWR/NiCabQE2Uh4QtywshaXACeOu7T
IRPgkFZIRspp5ZELdE7GmeM=
=jLZX
-----END PGP SIGNATURE-----

Message #55 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Marcus Better <marcus@better.se>

Cc: 339734@bugs.debian.org

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Wed, 30 Nov 2005 14:04:55 -0800

reassign 339734 libpam-krb5
severity 339734 serious
retitle 339734 libpam-krb5: ChallengeResponse with openssh-server fails
thanks

Marcus Better <marcus@better.se> writes:

>> thoron@localhost's password: 

> Why does it say that? I get only "Password:". I have the same version of
> libpam-krb5 and openssh-server.

Looks like that was the secret.  The problem is with
ChallengeResponseAuthentication; if you turn it on, the module fails, and
if you turn it off, it works.

I'll try to figure out what's going on and fix this.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #68 received at 339734@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 339734@bugs.debian.org, Marcus Better <marcus@better.se>

Subject: Re: Bug#339734: openssh-server: Kerberos tickets are not saved (pam_krb5)

Date: Thu, 01 Dec 2005 13:17:27 -0800

Russ Allbery <rra@debian.org> writes:

> Looks like that was the secret.  The problem is with
> ChallengeResponseAuthentication; if you turn it on, the module fails,
> and if you turn it off, it works.

> I'll try to figure out what's going on and fix this.

I have a patch for this, but I'm giving upstream a chance to take a look
first and make sure I didn't do anything stupid before I upload it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #75 received at 339734-close@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 339734-close@bugs.debian.org

Subject: Bug#339734: fixed in libpam-krb5 1.2.0-2

Date: Tue, 24 Jan 2006 23:17:05 -0800

Source: libpam-krb5
Source-Version: 1.2.0-2

We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:

libpam-krb5_1.2.0-2.diff.gz
  to pool/main/libp/libpam-krb5/libpam-krb5_1.2.0-2.diff.gz
libpam-krb5_1.2.0-2.dsc
  to pool/main/libp/libpam-krb5/libpam-krb5_1.2.0-2.dsc
libpam-krb5_1.2.0-2_i386.deb
  to pool/main/libp/libpam-krb5/libpam-krb5_1.2.0-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339734@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated libpam-krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Jan 2006 18:11:57 -0800
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 1.2.0-2
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libpam-krb5 - PAM module for MIT Kerberos
Closes: 339734 341926 342271 344003
Changes: 
 libpam-krb5 (1.2.0-2) unstable; urgency=low
 .
   * Always use a disk cache for temporary storage of credentials and cope
     with not having module-specific data during pam_sm_setcred by passing
     the cache path in an environment variable.  This is required to cope
     with OpenSSH's technique (when using ChallengeResponseAuthentication)
     of doing PAM authentication in a child process and then opening the
     session in the parent.  (Closes: #339734)
   * Only initialize the ticket cache once no matter how many times setcred
     is called.  Saves duplicate work and works around a bug in xdm, which
     calls setcred repeatedly and discards the environment set by the final
     call.
   * Don't assume we already have a context when changing passwords; passwd
     doesn't work that way.  (Closes: #344003)
   * Fix the test for the new password.  I don't think this would have
     worked at all before.
   * Improve debugging output for password changes.
   * If search_k5login is specified but no .k5login is found, still check
     the user with krb5_kuserok in case there are custom principal mappings
     defined.
   * Handle ignore_root in a cleaner fashion and add support for
     ignore_root on password changes.
   * Depend on krb5-config.  (Closes: #342271)
   * Document that ccache and ccache_dir must be specified as options to
     the session module.  (Closes: #341926)
   * Document that pam_sm_authenticate and pam_sm_setcred also call
     krb5_kuserok.
   * Properly override the upstream CFLAGS so that debugging builds work.
   * Don't ignore errors from make clean.
   * Providing binary-indep in debian/rules is required by Policy even if
     there are no arch-independent packages.  Whoops.
Files: 
 66ea3b8e445835dc6ce8ebf794325529 657 net optional libpam-krb5_1.2.0-2.dsc
 c9f5ce7e96c44a8e91c8c3885f4f15f4 17408 net optional libpam-krb5_1.2.0-2.diff.gz
 1d0f6fff2d06e30d735432be350e948a 32606 net optional libpam-krb5_1.2.0-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD1yM1+YXjQAr8dHYRAoeBAJ9Wiq6fuRuf/WdwSDkmRyicqqISIQCgmChF
Y2sYBLEcFkqb7AMJWkJSSfc=
=wemy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.