Bug 155623

Summary: OpenSSH publickey authentication fails when kerberos PAM enabled
Product: Red Hat Enterprise Linux 4 Reporter: Christopher Audley <christopher.d.audley>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.1.8-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-11 15:17:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christopher Audley 2005-04-21 22:04:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3

Description of problem:
When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly.

If I use password authentication, without attempting publickey auth first, then authentication works

If I use publickey authentication, it fails.

If I use publickey authentication, then attempt password authentication, the password authentication will fail.

Version-Release number of selected component (if applicable):
openssh-3.9p1-8.RHEL4.1

How reproducible:
Always

Steps to Reproduce:
1. Install up-to-date RHEL4
2. Use redhat-config-authentication to setup kerberos auth against AD server
3. attempt to login to the machine with ssh using publickey auth

openssh configuration is the stock redhat config.
  

Actual Results:  I get authentication failures every time I try to use publickey.  Even password authentication fails after publickey authentication has been tried.

Expected Results:  Login should have succeeded.  Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine.

Additional info:

I tried to debug this myself with little success.  I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true).  However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false.  A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.
Comment 1 Tomas Mraz 2005-04-21 22:23:44 UTC 
The problem is that the openssh doesn't use PAM for authentication when
publickey authentication is invoked. This might be a problem when using pam_krb5
in the account phase of pam config.

On the other hand if the password authentication always fails after a failed
publickey authentication that is really a bug which should be fixable. However
the problem is most probably in the pam_krb5 module not in openssh.
Comment 2 Nalin Dahyabhai 2006-08-11 15:17:54 UTC 
This should have been fixed by 2.1.8-1.  Please reopen this bug if you find that
it wasn't.