Ubuntu
libpam-krb5 package

Bug #275169
Comment #12

Comment 12 for bug 275169

Revision history for this message

Philip Lowman (philip-yhbt) wrote on 2009-01-07:

#12

On Mon, Jan 5, 2009 at 1:56 PM, Philip Lowman <email address hidden> wrote:

>> Is there any update for this? From my point of view pam-auth-update
>> seems to be a step backwards from auth-client-config so long as there is
>> no built-in support for configuring kerberos. I guess it's back to
>> configuring /etc/pam.d manually?
>>

>I'm not sure if this solves your problem, but if you're trying to configure
>a Linux system to use Kerberos for authentication you can use
>auth-client-config:
>
> *sudo auth-client-config -a -p kerberos_example*

Adam,

Yeah, I tried this starting from the stock PAM configuration that comes with Ubuntu 8.10 and for some reason it didn't work on our systems (although I've done this before on Ubuntu 8.04 with success). I didn't mean to blame pam-auth-update for the problem, I wasn't sure what the issue was exactly a couple of days ago, I was just frustrated that things didn't "just work".

I looked a little closer at the issue today and I believe the problem has something to do with pam_unix.so and pam_krb5.so lines in common-auth being swapped. Here they are in my Ubuntu 8.04 common-auth

Ubuntu 8.04 common-auth:
============
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update

And here they are along with the other PAM config files and auth.log in Ubuntu 8.10 after running "auth-client-config -a -p kerberos_example".

Ubuntu 8.10...
common-auth:
============
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # auth [success=1 default=ignore] pam_unix.so nullok_secure
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # auth required pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)

# pre_auth-client-config # # end of pam-auth-update config
auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass ignore_root debug
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update

common-session:
============
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # session [default=1] pam_permit.so
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # session required pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # session required pam_unix.so
# pre_auth-client-config # session optional pam_ck_connector.so nox11
# pre_auth-client-config # # end of pam-auth-update config
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_foreground.so
session optional pam_krb5.so debug
session required pam_unix.so debug

common-password:
============
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # password [success=1 default=ignore] pam_unix.so obscure sha512
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # password required pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # # end of pam-auth-update config
password sufficient pam_unix.so nullok obscure min=4 max=8 md5 debug
password sufficient pam_krb5.so debug try_first_pass
password required pam_deny.so

common-account:
============
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # account required pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # # end of pam-auth-update config
account sufficient pam_krb5.so debug
account sufficient pam_unix.so debug
account required pam_permit.so

/var/log/auth.log:
============
Jan 7 16:42:12 nin sshd[32175]: Invalid user lowmanp from 136.180.81.146
Jan 7 16:42:12 nin sshd[32175]: PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
Jan 7 16:42:12 nin sshd[32175]: PAM adding faulty module: /lib/security/pam_foreground.so
Jan 7 16:42:12 nin sshd[32175]: Failed none for invalid user lowmanp from 136.180.81.146 port 54620 ssh2
Jan 7 16:42:14 nin sshd[32175]: (pam_krb5): none: pam_sm_authenticate: entry (0x1)
Jan 7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: attempting authentication as <email address hidden>
Jan 7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: krb5_get_init_creds_password: Preauthentication failed
Jan 7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: pam_sm_authenticate: exit (failure)
Jan 7 16:42:14 nin sshd[32175]: Failed password for invalid user lowmanp from 136.180.81.146 port 54620 ssh2

On Mon, Jan 5, 2009 at 1:56 PM, Philip Lowman <philip@yhbt.com> wrote:

Adam,

Yeah, I tried this starting from the stock PAM configuration that comes with Ubuntu 8.10 and for some reason it didn't work on our systems (although I've done this before on Ubuntu 8.04 with success).  I didn't mean to blame pam-auth-update for the problem, I wasn't sure what the issue was exactly a couple of days ago, I was just frustrated that things didn't "just work".

Ubuntu 8.04 common-auth:
============
auth    [success=done default=ignore]   pam_unix.so nullok_secure debug
auth    [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
auth    [default=done]  pam_ccreds.so action=validate use_first_pass
auth    [default=done]  pam_ccreds.so action=store
auth    [default=bad]   pam_ccreds.so action=update

And here they are along with the other PAM config files and auth.log in Ubuntu 8.10 after running "auth-client-config -a -p kerberos_example".

Ubuntu 8.10...
common-auth:
============
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # auth	[success=1 default=ignore]	pam_unix.so nullok_secure
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # auth	required			pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)

# pre_auth-client-config # # end of pam-auth-update config
auth    [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass ignore_root debug
auth    [success=done default=ignore]   pam_unix.so nullok_secure debug
auth    [default=done]  pam_ccreds.so action=validate use_first_pass
auth    [default=done]  pam_ccreds.so action=store
auth    [default=bad]   pam_ccreds.so action=update

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # session	[default=1]			pam_permit.so
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # session	required			pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # session	required	pam_unix.so 
# pre_auth-client-config # session	optional			pam_ck_connector.so nox11
# pre_auth-client-config # # end of pam-auth-update config
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional        pam_foreground.so
session optional        pam_krb5.so debug
session required        pam_unix.so debug

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # password	[success=1 default=ignore]	pam_unix.so obscure sha512
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # password	required			pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # # end of pam-auth-update config
password sufficient     pam_unix.so nullok obscure min=4 max=8 md5 debug
password sufficient     pam_krb5.so debug try_first_pass
password required       pam_deny.so

common-account:
============
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# pre_auth-client-config # # here are the per-package modules (the "Primary" block)
# pre_auth-client-config # account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
# pre_auth-client-config # # here's the fallback if no module succeeds
# pre_auth-client-config # account	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # account	required			pam_permit.so
# pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
# pre_auth-client-config # # end of pam-auth-update config
account sufficient      pam_krb5.so debug
account sufficient      pam_unix.so debug
account required        pam_permit.so

/var/log/auth.log:
============
Jan  7 16:42:12 nin sshd[32175]: Invalid user lowmanp from 136.180.81.146
Jan  7 16:42:12 nin sshd[32175]: PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory
Jan  7 16:42:12 nin sshd[32175]: PAM adding faulty module: /lib/security/pam_foreground.so
Jan  7 16:42:12 nin sshd[32175]: Failed none for invalid user lowmanp from 136.180.81.146 port 54620 ssh2
Jan  7 16:42:14 nin sshd[32175]: (pam_krb5): none: pam_sm_authenticate: entry (0x1)
Jan  7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: attempting authentication as lowmanp@SIMWIN.GDLS.COM
Jan  7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: krb5_get_init_creds_password: Preauthentication failed
Jan  7 16:42:14 nin sshd[32175]: (pam_krb5): lowmanp: pam_sm_authenticate: exit (failure)
Jan  7 16:42:14 nin sshd[32175]: Failed password for invalid user lowmanp from 136.180.81.146 port 54620 ssh2

Ubuntulibpam-krb5 package

Comment 12 for bug 275169

Ubuntu
libpam-krb5 package