101183 – openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins

Bug 101183 - openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins

Summary: openssh-server-3.1p1-8 and krb5 pam module do not work together.. prevent logins

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openssh
Sub Component:
Version:	7.3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	101361 101799 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-07-29 21:01 UTC by Pat Hennessy
Modified:	2007-04-18 16:56 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-09-25 09:54:32 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pat Hennessy 2003-07-29 21:01:30 UTC

Description of problem:
openssh-server-3.1p1-8 will close incoming connection if kerberos is enabled
with the authconfig tool.  Accounts which do not have kerberos accounts will
still get prompted for a password and are still able to login (like root).  This
is using RedHat 7.3 with all applicable updates, authenticating against a
Windows 2000 Server Domain Controller with all applicable updates (using the
krb5 pam module, NOT the smb auth pam module.)

Version-Release number of selected component (if applicable):
3.1p1-8

How reproducible:
Every time.

Steps to Reproduce:
1. Install RedHat Linux.
2. Use authconfig to enable kerberos auth (and use a windows 2000 server).
3. Run up2date to get the latest openssh package.
4. Try to login with any account that will use kerberos (not pam_unix).

Comment 1 Pat Hennessy 2003-07-31 20:26:34 UTC

We were also able to reproduce the problem with a RedHat 9 server.

Comment 2 Pat Hennessy 2003-07-31 20:28:49 UTC

Found someone else has submited the same problem under a different bug report.

See #101361

Comment 3 Michael Young 2003-08-05 16:21:53 UTC

I have been looking at the problem for our systems, and on 7.3 at least the
server segfaults if kerberos authentication is enabled, though gdb suggests the
crash is in the libkrb5 code - so the failure could be related to things not
being initialized when libkrb5 expects them to be in the extra call of pam.

Comment 4 Pat Hennessy 2003-08-11 18:45:28 UTC

Found someone else has submited the same problem under a different bug report.

See #101799

Comment 5 Peter van Hooft 2003-09-16 18:26:38 UTC

I investigated this problem somewhat, and it looks like a problem originating in
the openssh-<version>-pam-timing.patch, at least if I leave this patch out,
everything seems to work. I've made tracebacks for 3.1p1 as well as for 3.6p2
(on 7.3 and 9 respectively), which I can make available if you like. (BTW, we're
authenticating against a Windows KDC.)

Comment 6 Michael Young 2003-09-16 18:47:34 UTC

Try the new openssh security fix package, I think this bug might be fixed as well.

Comment 7 Rich Graves 2003-09-16 19:35:03 UTC

We concur, new build seems to fix this problem as well.

Comment 8 Peter van Hooft 2003-09-16 19:42:03 UTC

OK, seems events caught up with me.  I can confirm this problem has been fixed
in the new packages.

Comment 9 Mark J. Cox 2003-09-25 09:53:15 UTC

*** Bug 101799 has been marked as a duplicate of this bug. ***

Comment 10 Mark J. Cox 2003-09-25 09:53:46 UTC

*** Bug 101361 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.