Description of problem: openssh-server-3.1p1-8 will close incoming connection if kerberos is enabled with the authconfig tool. Accounts which do not have kerberos accounts will still get prompted for a password and are still able to login (like root). This is using RedHat 7.3 with all applicable updates, authenticating against a Windows 2000 Server Domain Controller with all applicable updates (using the krb5 pam module, NOT the smb auth pam module.) Version-Release number of selected component (if applicable): 3.1p1-8 How reproducible: Every time. Steps to Reproduce: 1. Install RedHat Linux. 2. Use authconfig to enable kerberos auth (and use a windows 2000 server). 3. Run up2date to get the latest openssh package. 4. Try to login with any account that will use kerberos (not pam_unix).
We were also able to reproduce the problem with a RedHat 9 server.
Found someone else has submited the same problem under a different bug report. See #101361
I have been looking at the problem for our systems, and on 7.3 at least the server segfaults if kerberos authentication is enabled, though gdb suggests the crash is in the libkrb5 code - so the failure could be related to things not being initialized when libkrb5 expects them to be in the extra call of pam.
Found someone else has submited the same problem under a different bug report. See #101799
I investigated this problem somewhat, and it looks like a problem originating in the openssh-<version>-pam-timing.patch, at least if I leave this patch out, everything seems to work. I've made tracebacks for 3.1p1 as well as for 3.6p2 (on 7.3 and 9 respectively), which I can make available if you like. (BTW, we're authenticating against a Windows KDC.)
Try the new openssh security fix package, I think this bug might be fixed as well.
We concur, new build seems to fix this problem as well.
OK, seems events caught up with me. I can confirm this problem has been fixed in the new packages.
*** Bug 101799 has been marked as a duplicate of this bug. ***
*** Bug 101361 has been marked as a duplicate of this bug. ***