Bug 155623 - OpenSSH publickey authentication fails when kerberos PAM enabled
OpenSSH publickey authentication fails when kerberos PAM enabled
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-04-21 18:04 EDT by Christopher Audley
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.1.8-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-11 11:17:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Christopher Audley 2005-04-21 18:04:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3

Description of problem:
When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly.

If I use password authentication, without attempting publickey auth first, then authentication works

If I use publickey authentication, it fails.

If I use publickey authentication, then attempt password authentication, the password authentication will fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install up-to-date RHEL4
2. Use redhat-config-authentication to setup kerberos auth against AD server
3. attempt to login to the machine with ssh using publickey auth

openssh configuration is the stock redhat config.

Actual Results:  I get authentication failures every time I try to use publickey.  Even password authentication fails after publickey authentication has been tried.

Expected Results:  Login should have succeeded.  Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine.

Additional info:

I tried to debug this myself with little success.  I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true).  However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false.  A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.
Comment 1 Tomas Mraz 2005-04-21 18:23:44 EDT
The problem is that the openssh doesn't use PAM for authentication when
publickey authentication is invoked. This might be a problem when using pam_krb5
in the account phase of pam config.

On the other hand if the password authentication always fails after a failed
publickey authentication that is really a bug which should be fixable. However
the problem is most probably in the pam_krb5 module not in openssh.
Comment 2 Nalin Dahyabhai 2006-08-11 11:17:54 EDT
This should have been fixed by 2.1.8-1.  Please reopen this bug if you find that
it wasn't.

Note You need to log in before you can comment on or make changes to this bug.