Bug 484322
Summary: | valid(?) PAM configuration file causes "fatal: PAM: pamsetcred()" error | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Ralston <ralston> |
Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | mgrepl, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-07 12:42:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Ralston
2009-02-06 01:21:31 UTC
I wouldn't say that it is a bug rather a limitation of the PAM support in sshd. Due to the priviledge separation and the nature of the ssh protocol the pam support in sshd might have some slight problems with some modules. Namely the pam_authenticate is in some authentication methods executed in a different process than pam_setcred, but the pam stack chain should be frozen in pam_setcred. Try this configuration: auth required pam_env.so auth [default=ignore success=3] pam_succeed_if.so uid >= 1000 uid < 61000 quiet auth [default=ignore success=2] pam_succeed_if.so uid > 61999 quiet auth sufficient pam_unix.so nullok try_first_pass auth required pam_deny.so auth sufficient pam_krb5.so try_first_pass auth required pam_deny.so Another possible configuration change which might fix this is to disable priviledge separation in the sshd_config. Disabling privilege separation in sshd_config had no effect, but your suggested configuration works; both password and keyboard-interactive authentication now work. Thanks much for the suggested config. For anyone else stumbling across this bug, as an additional tip, if you want this "split" authentication to work, you also need to set the following options in sshd_config: # These must all be set to no; PAM will decide whether to use Kerberos # authentication or local authentication. KerberosAuthentication no KerberosOrLocalPasswd no KerberosTicketCleanup no KerberosGetAFSToken no # If the host has a service key, and the user has a TGT in the same realm, this # will enable gssapi-with-mic authentication to login the user without being # prompted for a password. GSSAPIAuthentication yes (Feel free to close this with either NOTABUG or CANTFIX, at your discretion.) |