Bug 1153076 - .k5login file ignored in GSSAPI authentication
Summary: .k5login file ignored in GSSAPI authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-15 15:02 UTC by František Dvořák
Modified: 2014-11-14 12:10 UTC (History)
6 users (show)

Fixed In Version: openssh-6.6.1p1-7.fc21
Clone Of:
Environment:
Last Closed: 2014-11-14 12:10:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description František Dvořák 2014-10-15 15:02:54 UTC 
Description of problem:

In Fedora 21, the .k5login file is ignored by ssh server. Still, there can be used .k5users file instead.


Version-Release number of selected component (if applicable):

openssh-server-6.6.1p1-5.fc21.1.x86_64
krb5-libs-1.12.2-9.fc21.x86_64


How reproducible:
Always.


Steps to Reproduce:
0. you need machine with openssh-server and working Kerberos:
  - machine has keytab
  - machine has proper krb5.conf

2. on server: echo "YOU_PRINCIPAL@YOUR_REALM" >> ~/.k5login

3. on client: kinit YOU_PRINCIPAL@YOUR_REALM

4. on client: ssh root@SERVER


Actual results:

- ssh client asks interactively for password

- event in /var/log/audit/audit.log:
type=USER_AUTH msg=audit(1413383249.883:157): pid=769 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=gssapi acct="root" exe="/usr/sbin/sshd" hostna
me=? addr=147.228.1.32 terminal=ssh res=failed'

- 'strace /usr/sbin/sshd' doesn't show attempts to read /root/.k5login


Expected results:

- non-interactive logging in


Additional info:
Comment 1 Sumit Bose 2014-10-16 16:20:09 UTC 
Looks like the default of KerberosUseKuserok option changed. I guess if you add 

KerberosUseKuserok yes

to /etc/ssh/sshd_config it should work again.
Comment 2 František Dvořák 2014-10-16 19:51:02 UTC 
I see, after enabling KerberosUseKuserok it works now! Option is mentioned in sshd_config manual page. 

It looks like this beaviour change goes from Fedora (servconf.c file):

http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?id=7463b66c253822126bfb49a97b7d6b05a79cd019
Comment 3 Fedora Update System 2014-11-04 19:42:13 UTC 
openssh-6.6.1p1-6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-6.fc21
Comment 4 Petr Lautrbach 2014-11-04 19:48:07 UTC 
I've reverted the default value of KerberosUseKuserok back to yes in the latest update. Please provide a karma if it works for you.
Comment 5 Fedora Update System 2014-11-05 19:24:37 UTC 
Package openssh-6.6.1p1-6.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-6.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-6.fc21
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-11-10 06:08:02 UTC 
Package openssh-6.6.1p1-7.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-7.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-7.fc21
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-11-14 12:10:15 UTC 
openssh-6.6.1p1-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.