Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 155623

Summary: OpenSSH publickey authentication fails when kerberos PAM enabled
Product: Red Hat Enterprise Linux 4 Reporter: Christopher Audley <christopher.d.audley>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 2.1.8-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-11 15:17:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christopher Audley 2005-04-21 22:04:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3

Description of problem:
When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly.

If I use password authentication, without attempting publickey auth first, then authentication works

If I use publickey authentication, it fails.

If I use publickey authentication, then attempt password authentication, the password authentication will fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install up-to-date RHEL4
2. Use redhat-config-authentication to setup kerberos auth against AD server
3. attempt to login to the machine with ssh using publickey auth

openssh configuration is the stock redhat config.

Actual Results:  I get authentication failures every time I try to use publickey.  Even password authentication fails after publickey authentication has been tried.

Expected Results:  Login should have succeeded.  Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine.

Additional info:

I tried to debug this myself with little success.  I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true).  However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false.  A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.

Comment 1 Tomas Mraz 2005-04-21 22:23:44 UTC
The problem is that the openssh doesn't use PAM for authentication when
publickey authentication is invoked. This might be a problem when using pam_krb5
in the account phase of pam config.

On the other hand if the password authentication always fails after a failed
publickey authentication that is really a bug which should be fixable. However
the problem is most probably in the pam_krb5 module not in openssh.

Comment 2 Nalin Dahyabhai 2006-08-11 15:17:54 UTC
This should have been fixed by 2.1.8-1.  Please reopen this bug if you find that
it wasn't.