Bug 486256
Summary: | keyboard-interactive auth does not cache Kerberos credentials | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | James Ralston <ralston> |
Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.3 | CC: | nalin |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-03-30 08:37:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Ralston
2009-02-19 03:51:11 UTC
Cross-filed as Red Hat Service Request 1901374. (In reply to comment #0) > However, when a Fedora 10 box is the server, the Kerberos credentials are > cached properly with both password and keyboard-interactive authentication. > > When I enable pam_krb5 debugging for all services, I see that the logs are > mostly the same. However, the Fedora 10 logs contain this very illuminating > snippet: > > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v5 credentials > from shared memory segment 141656097 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v4 credential > state from shared memory segment 141688866 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v5 shared memory > segment 141656097 creator pid 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing > shared memory segment 141656097 belonging to process 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v4 shared memory > segment 141688866 creator pid 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing > shared memory segment 141688866 belonging to process 5710 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: creating v5 ccache for > 'joeuser', uid=1000, gid=1000 > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: saving v5 credentials to > 'MEMORY:_pam_krb5_tmp_s_joeuser' for internal use > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: copied credentials from > "MEMORY:_pam_krb5_tmp_s_joeuser" to > "FILE:/tmp/krb5cc_1000_dK5708" for the user, destroying > "MEMORY:_pam_krb5_tmp_s_joeuser" > Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: created v5 ccache > 'FILE:/tmp/krb5cc_1000_TOZdDz' for 'joeuser' > > I have not studied the source yet, but my guess is that pam_krb5-2.3.2-1.fc10 > (Fedora) jumps through hoops to preserve the credentials when > keyboard-interactive is in use, and that the hoop-jumping code was added after > pam_krb5-2.2.14-10 (on RHEL5), but Red Hat hasn't backported it to RHEL5. > > Is that what is happening here? If so, is there any way to get credential > caching working for keyboard-interactive authentication on RHEL5 hosts? I believe you're right here. I'm pretty sure that setting "use_shmem = sshd" in /etc/krb5.conf's [appdefaults] "pam" subsection will do the right thing here. We started setting this as the default in 2.2.15, so that's what's going on in Fedora 10, but I don't think we've brought that back to RHEL5 yet. Can you verify that when you make this change, the right thing starts happening? Confirmed; with "use_shmem = sshd", keyboard-interactive authentication properly stashes credentials. As an added bonus, not only does keyboard-interactive stash the credentials, but it obeys the ccache_dir setting, which neither the gssapi-with-mic nor password authentications does; see bug 487439. As this is just a matter of configuration I am closing the bug report. |