Red Hat Bugzilla – Bug 155623
OpenSSH publickey authentication fails when kerberos PAM enabled
Last modified: 2007-11-30 17:07:17 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.7) Gecko/20050416 Red Hat/1.0.3-1.4.1 Firefox/1.0.3
Description of problem:
When I enable kerberos authentication against a Windows 2003 server, using redhat-config-authentication, openssh authentication stops working correctly.
If I use password authentication, without attempting publickey auth first, then authentication works
If I use publickey authentication, it fails.
If I use publickey authentication, then attempt password authentication, the password authentication will fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install up-to-date RHEL4
2. Use redhat-config-authentication to setup kerberos auth against AD server
3. attempt to login to the machine with ssh using publickey auth
openssh configuration is the stock redhat config.
Actual Results: I get authentication failures every time I try to use publickey. Even password authentication fails after publickey authentication has been tried.
Expected Results: Login should have succeeded. Following the same setup sequence on a RHEL3 machine produces a working openssh configuration, logging in with the same set of keys works fine.
I tried to debug this myself with little success. I did determine that when the call to monitor_read at line 310 of monitor.c returns, the public key has been accepted (authenticated is true). However, it is the call to PAM (lines 320-328 monitor.c) that changes the authenticated flag to false. A call to pam_acct_mgmt in do_pam_account returns PAM_AUTH_ERR.
The problem is that the openssh doesn't use PAM for authentication when
publickey authentication is invoked. This might be a problem when using pam_krb5
in the account phase of pam config.
On the other hand if the password authentication always fails after a failed
publickey authentication that is really a bug which should be fixable. However
the problem is most probably in the pam_krb5 module not in openssh.
This should have been fixed by 2.1.8-1. Please reopen this bug if you find that