Bug 101183 - openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins
openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.3
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
: 101361 101799 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-29 17:01 EDT by Pat Hennessy
Modified: 2007-04-18 12:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-25 05:54:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pat Hennessy 2003-07-29 17:01:30 EDT
Description of problem:
openssh-server-3.1p1-8 will close incoming connection if kerberos is enabled
with the authconfig tool.  Accounts which do not have kerberos accounts will
still get prompted for a password and are still able to login (like root).  This
is using RedHat 7.3 with all applicable updates, authenticating against a
Windows 2000 Server Domain Controller with all applicable updates (using the
krb5 pam module, NOT the smb auth pam module.)

Version-Release number of selected component (if applicable):
3.1p1-8

How reproducible:
Every time.

Steps to Reproduce:
1. Install RedHat Linux.
2. Use authconfig to enable kerberos auth (and use a windows 2000 server).
3. Run up2date to get the latest openssh package.
4. Try to login with any account that will use kerberos (not pam_unix).
Comment 1 Pat Hennessy 2003-07-31 16:26:34 EDT
We were also able to reproduce the problem with a RedHat 9 server.
Comment 2 Pat Hennessy 2003-07-31 16:28:49 EDT
Found someone else has submited the same problem under a different bug report.

See #101361
Comment 3 Michael Young 2003-08-05 12:21:53 EDT
I have been looking at the problem for our systems, and on 7.3 at least the
server segfaults if kerberos authentication is enabled, though gdb suggests the
crash is in the libkrb5 code - so the failure could be related to things not
being initialized when libkrb5 expects them to be in the extra call of pam.
Comment 4 Pat Hennessy 2003-08-11 14:45:28 EDT
Found someone else has submited the same problem under a different bug report.

See #101799
Comment 5 Peter van Hooft 2003-09-16 14:26:38 EDT
I investigated this problem somewhat, and it looks like a problem originating in
the openssh-<version>-pam-timing.patch, at least if I leave this patch out,
everything seems to work. I've made tracebacks for 3.1p1 as well as for 3.6p2
(on 7.3 and 9 respectively), which I can make available if you like. (BTW, we're
authenticating against a Windows KDC.)
Comment 6 Michael Young 2003-09-16 14:47:34 EDT
Try the new openssh security fix package, I think this bug might be fixed as well.
Comment 7 Rich Graves 2003-09-16 15:35:03 EDT
We concur, new build seems to fix this problem as well.
Comment 8 Peter van Hooft 2003-09-16 15:42:03 EDT
OK, seems events caught up with me.  I can confirm this problem has been fixed
in the new packages.
Comment 9 Mark J. Cox (Product Security) 2003-09-25 05:53:15 EDT
*** Bug 101799 has been marked as a duplicate of this bug. ***
Comment 10 Mark J. Cox (Product Security) 2003-09-25 05:53:46 EDT
*** Bug 101361 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.