Bug 101361 - RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM
RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM
Status: CLOSED DUPLICATE of bug 101183
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2003-07-31 03:08 EDT by Need Real Name
Modified: 2007-04-18 12:56 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 13:57:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2003-07-31 03:08:47 EDT
Description of problem:  application of RHSA-2003:222-01 (upgrade to SSH) seems
to break the use of KRB5 PAM authentication for SSH logins.  It is possible to
log in as root but not as a user.  The session is immediately terminated by the

Version-Release number of selected component (if applicable): known broken on
RH7.2 and 8.0 as per advisory.

How reproducible:  apply patches.  set machine to authenticate users using KRB5
with an active directory domain controller as the KRB5 server

Steps to Reproduce:
1. apply patches
2. set machine to authenticate users using KRB5 with an active directory domain
controller as the KRB5 server
3. ssh to machine as user - fails
4. use authconfig to unset KRB5 authentication
5. ssh to machine as user - works
Actual results:

Expected results:

Additional info:  rollback to previous version of SSH on affected machines works
Comment 1 Rich Graves 2003-07-31 17:47:39 EDT
Agreed here. Bad patch needs to be rolled back.

Same failures with ssh v1 and ssh v2, with or without X11 forwarding.

/usr/sbin/sshd -D -d -d dies with a segfault.

debug1: userauth-request for user rcgraves service ssh-connection method password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Segmentation fault
debug1: Calling cleanup 0x8070d70(0x0)
Comment 2 Ken Weaverling 2003-07-31 17:59:49 EDT
Possible dupe at bug 101183
Comment 3 Larry Cole 2003-08-14 14:29:01 EDT
I am having the same problem on several machines.
Comment 4 Mark Leary 2003-08-21 17:03:39 EDT
Temporary workaround:

I have not full investigated the security implications of this, but you can 
enable "Do not require Kerberos Preauthentication" in your AD accounts to get 
around this.
Comment 5 Michael Young 2003-08-21 17:23:59 EDT
There are two other possible workarounds, downgrade openssh to the previous
package, or upgrade the krb5 libraries to the copy on rawhide, though in the
latter case you will probably have to upgrade several other packages as well.
Comment 6 Alfred Hovdestad 2003-09-07 10:36:17 EDT
I have another workaround/some more information.  I found that the new rpm works
with a Sun krb5 server but not a Windows DC.  If I change my krb5.conf to
authenticate against a Sun krb5 server, I can login with ssh.  If I use the
Windows DC, ssh fails.

However, I can still login at the console with the Windows krb5 server, and I
can still generate a krb5 ticket (kinit) with the Windows DC.  Ditto for the
Sun.  It is only ssh that fails with the Windows DC.
Comment 7 Alfred Hovdestad 2003-09-16 16:04:39 EDT
This appears to be fixed with the latest update to openssh.

Comment 8 Mark J. Cox (Product Security) 2003-09-25 05:53:42 EDT

*** This bug has been marked as a duplicate of 101183 ***
Comment 9 Red Hat Bugzilla 2006-02-21 13:57:53 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.