Bug 1153076

Summary: .k5login file ignored in GSSAPI authentication
Product: [Fedora] Fedora Reporter: František Dvořák <valtri>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: fweimer, mattias.ellert, mgrepl, plautrba, sbose, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-6.6.1p1-7.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-14 12:10:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description František Dvořák 2014-10-15 15:02:54 UTC 
Description of problem:

In Fedora 21, the .k5login file is ignored by ssh server. Still, there can be used .k5users file instead.


Version-Release number of selected component (if applicable):

openssh-server-6.6.1p1-5.fc21.1.x86_64
krb5-libs-1.12.2-9.fc21.x86_64


How reproducible:
Always.


Steps to Reproduce:
0. you need machine with openssh-server and working Kerberos:
  - machine has keytab
  - machine has proper krb5.conf

2. on server: echo "YOU_PRINCIPAL@YOUR_REALM" >> ~/.k5login

3. on client: kinit YOU_PRINCIPAL@YOUR_REALM

4. on client: ssh root@SERVER


Actual results:

- ssh client asks interactively for password

- event in /var/log/audit/audit.log:
type=USER_AUTH msg=audit(1413383249.883:157): pid=769 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=gssapi acct="root" exe="/usr/sbin/sshd" hostna
me=? addr=147.228.1.32 terminal=ssh res=failed'

- 'strace /usr/sbin/sshd' doesn't show attempts to read /root/.k5login


Expected results:

- non-interactive logging in


Additional info:
Comment 1 Sumit Bose 2014-10-16 16:20:09 UTC 
Looks like the default of KerberosUseKuserok option changed. I guess if you add 

KerberosUseKuserok yes

to /etc/ssh/sshd_config it should work again.
Comment 2 František Dvořák 2014-10-16 19:51:02 UTC 
I see, after enabling KerberosUseKuserok it works now! Option is mentioned in sshd_config manual page. 

It looks like this beaviour change goes from Fedora (servconf.c file):

http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?id=7463b66c253822126bfb49a97b7d6b05a79cd019
Comment 3 Fedora Update System 2014-11-04 19:42:13 UTC 
openssh-6.6.1p1-6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-6.fc21
Comment 4 Petr Lautrbach 2014-11-04 19:48:07 UTC 
I've reverted the default value of KerberosUseKuserok back to yes in the latest update. Please provide a karma if it works for you.
Comment 5 Fedora Update System 2014-11-05 19:24:37 UTC 
Package openssh-6.6.1p1-6.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-6.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-6.fc21
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-11-10 06:08:02 UTC 
Package openssh-6.6.1p1-7.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-7.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-7.fc21
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-11-14 12:10:15 UTC 
openssh-6.6.1p1-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.