Bug 486256
| Summary: | keyboard-interactive auth does not cache Kerberos credentials | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | James Ralston <ralston> |
| Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE <qe-baseos-auto> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.3 | CC: | nalin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-30 08:37:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Cross-filed as Red Hat Service Request 1901374. (In reply to comment #0) > However, when a Fedora 10 box is the server, the Kerberos credentials are > cached properly with both password and keyboard-interactive authentication. > > When I enable pam_krb5 debugging for all services, I see that the logs are > mostly the same. However, the Fedora 10 logs contain this very illuminating > snippet: > > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v5 credentials > from shared memory segment 141656097 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v4 credential > state from shared memory segment 141688866 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v5 shared memory > segment 141656097 creator pid 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing > shared memory segment 141656097 belonging to process 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v4 shared memory > segment 141688866 creator pid 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing > shared memory segment 141688866 belonging to process 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: creating v5 ccache for > 'joeuser', uid=1000, gid=1000 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: saving v5 credentials to > 'MEMORY:_pam_krb5_tmp_s_joeuser' for internal use > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: copied credentials from > "MEMORY:_pam_krb5_tmp_s_joeuser" to > "FILE:/tmp/krb5cc_1000_dK5708" for the user, destroying > "MEMORY:_pam_krb5_tmp_s_joeuser" > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: created v5 ccache > 'FILE:/tmp/krb5cc_1000_TOZdDz' for 'joeuser' > > I have not studied the source yet, but my guess is that pam_krb5-2.3.2-1.fc10 > (Fedora) jumps through hoops to preserve the credentials when > keyboard-interactive is in use, and that the hoop-jumping code was added after > pam_krb5-2.2.14-10 (on RHEL5), but Red Hat hasn't backported it to RHEL5. > > Is that what is happening here? If so, is there any way to get credential > caching working for keyboard-interactive authentication on RHEL5 hosts? I believe you're right here. I'm pretty sure that setting "use_shmem = sshd" in /etc/krb5.conf's [appdefaults] "pam" subsection will do the right thing here. We started setting this as the default in 2.2.15, so that's what's going on in Fedora 10, but I don't think we've brought that back to RHEL5 yet. Can you verify that when you make this change, the right thing starts happening? Confirmed; with "use_shmem = sshd", keyboard-interactive authentication properly stashes credentials. As an added bonus, not only does keyboard-interactive stash the credentials, but it obeys the ccache_dir setting, which neither the gssapi-with-mic nor password authentications does; see bug 487439. As this is just a matter of configuration I am closing the bug report. |
(I'm filing against openssh, but I suspect this might be a pam_krb5 issue.) If I use: openssh-4.3p2-29.el5 pam_krb5-2.2.14-10 on an ssh server with these sshd options: PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes And these PAM modules: auth required pam_env.so auth requisite pam_succeed_if.so uid >= 0 quiet auth [default=ignore success=3] pam_succeed_if.so uid >= 1000 uid <61000 quiet auth [default=ignore success=2] pam_succeed_if.so uid > 61999 quiet auth sufficient pam_unix.so nullok try_first_pass auth [default=4] pam_deny.so auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so debug use_first_pass auth [default=2 success=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store auth [default=bad] pam_ccreds.so action=update auth required pam_deny.so Then although "password" authentication properly stashes the Kerberos credentials, "keyboard-interactive" authentication does not. This is trivial to test from a client: $ ssh -o PreferredAuthentications=keyboard-interactive rhel5host.example.org 'echo x${KRB5CCNAME}x; sleep 3' Password for joeuser: xx But: $ ssh -o PreferredAuthentications=password rhel5host.example.org 'echo x${KRB5CCNAME}x; sleep 3' joeuser.org's password: xFILE:/tmp/krb5cc_1000_HPTOMXx I have tested both with and without PrivilegeSeparation, but it makes no difference in the results. However, when a Fedora 10 box is the server, the Kerberos credentials are cached properly with both password and keyboard-interactive authentication. When I enable pam_krb5 debugging for all services, I see that the logs are mostly the same. However, the Fedora 10 logs contain this very illuminating snippet: Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v5 credentials from shared memory segment 141656097 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v4 credential state from shared memory segment 141688866 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v5 shared memory segment 141656097 creator pid 5710 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing shared memory segment 141656097 belonging to process 5710 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v4 shared memory segment 141688866 creator pid 5710 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing shared memory segment 141688866 belonging to process 5710 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: creating v5 ccache for 'joeuser', uid=1000, gid=1000 Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_joeuser' for internal use Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: copied credentials from "MEMORY:_pam_krb5_tmp_s_joeuser" to "FILE:/tmp/krb5cc_1000_dK5708" for the user, destroying "MEMORY:_pam_krb5_tmp_s_joeuser" Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: created v5 ccache 'FILE:/tmp/krb5cc_1000_TOZdDz' for 'joeuser' I have not studied the source yet, but my guess is that pam_krb5-2.3.2-1.fc10 (Fedora) jumps through hoops to preserve the credentials when keyboard-interactive is in use, and that the hoop-jumping code was added after pam_krb5-2.2.14-10 (on RHEL5), but Red Hat hasn't backported it to RHEL5. Is that what is happening here? If so, is there any way to get credential caching working for keyboard-interactive authentication on RHEL5 hosts?