Bug 101183

Summary: openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins
Product: [Retired] Red Hat Linux Reporter: Pat Hennessy <path>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3CC: hooft, lcole, m.a.young, m.keir, xenophon
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-09-25 09:54:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pat Hennessy 2003-07-29 21:01:30 UTC
Description of problem:
openssh-server-3.1p1-8 will close incoming connection if kerberos is enabled
with the authconfig tool.  Accounts which do not have kerberos accounts will
still get prompted for a password and are still able to login (like root).  This
is using RedHat 7.3 with all applicable updates, authenticating against a
Windows 2000 Server Domain Controller with all applicable updates (using the
krb5 pam module, NOT the smb auth pam module.)

Version-Release number of selected component (if applicable):
3.1p1-8

How reproducible:
Every time.

Steps to Reproduce:
1. Install RedHat Linux.
2. Use authconfig to enable kerberos auth (and use a windows 2000 server).
3. Run up2date to get the latest openssh package.
4. Try to login with any account that will use kerberos (not pam_unix).

Comment 1 Pat Hennessy 2003-07-31 20:26:34 UTC
We were also able to reproduce the problem with a RedHat 9 server.

Comment 2 Pat Hennessy 2003-07-31 20:28:49 UTC
Found someone else has submited the same problem under a different bug report.

See #101361

Comment 3 Michael Young 2003-08-05 16:21:53 UTC
I have been looking at the problem for our systems, and on 7.3 at least the
server segfaults if kerberos authentication is enabled, though gdb suggests the
crash is in the libkrb5 code - so the failure could be related to things not
being initialized when libkrb5 expects them to be in the extra call of pam.

Comment 4 Pat Hennessy 2003-08-11 18:45:28 UTC
Found someone else has submited the same problem under a different bug report.

See #101799

Comment 5 Peter van Hooft 2003-09-16 18:26:38 UTC
I investigated this problem somewhat, and it looks like a problem originating in
the openssh-<version>-pam-timing.patch, at least if I leave this patch out,
everything seems to work. I've made tracebacks for 3.1p1 as well as for 3.6p2
(on 7.3 and 9 respectively), which I can make available if you like. (BTW, we're
authenticating against a Windows KDC.)


Comment 6 Michael Young 2003-09-16 18:47:34 UTC
Try the new openssh security fix package, I think this bug might be fixed as well.

Comment 7 Rich Graves 2003-09-16 19:35:03 UTC
We concur, new build seems to fix this problem as well.

Comment 8 Peter van Hooft 2003-09-16 19:42:03 UTC
OK, seems events caught up with me.  I can confirm this problem has been fixed
in the new packages.

Comment 9 Mark J. Cox 2003-09-25 09:53:15 UTC
*** Bug 101799 has been marked as a duplicate of this bug. ***

Comment 10 Mark J. Cox 2003-09-25 09:53:46 UTC
*** Bug 101361 has been marked as a duplicate of this bug. ***