Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155623 - OpenSSH publickey authentication fails when kerberos PAM enabled
Summary: OpenSSH publickey authentication fails when kerberos PAM enabled
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-21 22:04 UTC by Christopher Audley
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: 2.1.8-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-08-11 15:17:54 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Christopher Audley 2005-04-21 22:04:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3

Description of problem:
When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly.

If I use password authentication, without attempting publickey auth first, then authentication works

If I use publickey authentication, it fails.

If I use publickey authentication, then attempt password authentication, the password authentication will fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install up-to-date RHEL4
2. Use redhat-config-authentication to setup kerberos auth against AD server
3. attempt to login to the machine with ssh using publickey auth

openssh configuration is the stock redhat config.

Actual Results:  I get authentication failures every time I try to use publickey.  Even password authentication fails after publickey authentication has been tried.

Expected Results:  Login should have succeeded.  Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine.

Additional info:

I tried to debug this myself with little success.  I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true).  However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false.  A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.

Comment 1 Tomas Mraz 2005-04-21 22:23:44 UTC
The problem is that the openssh doesn't use PAM for authentication when
publickey authentication is invoked. This might be a problem when using pam_krb5
in the account phase of pam config.

On the other hand if the password authentication always fails after a failed
publickey authentication that is really a bug which should be fixable. However
the problem is most probably in the pam_krb5 module not in openssh.

Comment 2 Nalin Dahyabhai 2006-08-11 15:17:54 UTC
This should have been fixed by 2.1.8-1.  Please reopen this bug if you find that
it wasn't.

Note You need to log in before you can comment on or make changes to this bug.