|Summary:||OpenSSH publickey authentication fails when kerberos PAM enabled|
|Product:||Red Hat Enterprise Linux 4||Reporter:||Christopher Audley <christopher.d.audley>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED ERRATA||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||2.1.8-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-08-11 15:17:54 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Christopher Audley 2005-04-21 22:04:52 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3 Description of problem: When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly. If I use password authentication, without attempting publickey auth first, then authentication works If I use publickey authentication, it fails. If I use publickey authentication, then attempt password authentication, the password authentication will fail. Version-Release number of selected component (if applicable): openssh-3.9p1-8.RHEL4.1 How reproducible: Always Steps to Reproduce: 1. Install up-to-date RHEL4 2. Use redhat-config-authentication to setup kerberos auth against AD server 3. attempt to login to the machine with ssh using publickey auth openssh configuration is the stock redhat config. Actual Results: I get authentication failures every time I try to use publickey. Even password authentication fails after publickey authentication has been tried. Expected Results: Login should have succeeded. Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine. Additional info: I tried to debug this myself with little success. I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true). However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false. A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.
Comment 1 Tomas Mraz 2005-04-21 22:23:44 UTC
The problem is that the openssh doesn't use PAM for authentication when publickey authentication is invoked. This might be a problem when using pam_krb5 in the account phase of pam config. On the other hand if the password authentication always fails after a failed publickey authentication that is really a bug which should be fixable. However the problem is most probably in the pam_krb5 module not in openssh.
Comment 2 Nalin Dahyabhai 2006-08-11 15:17:54 UTC
This should have been fixed by 2.1.8-1. Please reopen this bug if you find that it wasn't.