Bug 244641 - Problem for ssh for kerberos users with PermitEmptyPasswords yes
Problem for ssh for kerberos users with PermitEmptyPasswords yes
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
Blocks: 244645 246627
  Show dependency treegraph
Reported: 2007-06-18 06:31 EDT by Martin Poole
Modified: 2010-10-22 11:42 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0712
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-24 15:55:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Poole 2007-06-18 06:31:38 EDT
Description of problem:

While running sshd with "PermitEmptyPasswords yes" in RHEL4, kerberos users
can't ssh if the .ssh/authorized_keys of the  kerberos user has the public key
of the source user in it.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1- Set up an ldap server. Add a user to ldap database without sepcifying
"userPassword" attribute.
2 - Set up a kerberos server. Add the same user to kerberos database and set up
a password.
3 - Take an rhel4 system. Run "authconfig" and specify the ldap server for name
service and kerberos for authentication.
4- Edit /etc/ssh/sshd_config and set.

PermitEmptyPasswords yes

Restart sshd.

5 - Take another system. Create an ssh key using "ssh-keygen -t dsa". Append
that key to the ~/.ssh/authorized_keys of the kerberos user.

6 - SSH to the rhel4 system from the client machine. It would prompt you for the
password, but it would never allow the log in.

Actual results:

$ ssh kerbtest@
kerbtest@'s password:
Permission denied, please try again.
kerbtest@'s password:
Permission denied, please try again.
kerbtest@'s password:
Permission denied (publickey,gssapi-with-mic,password)

Expected results:

$ ssh kerbtest@
[kerbtest@ kerbtest]$

Additional info:

RHEL3 and RHEL5 works as expected.

May 21 19:28:44 host3 unix_chkpwd[6746]: password check failed for user (kerbtest)
May 21 19:28:44 host3 sshd(pam_unix)[6744]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=dhcp1-100.example.com  user=kerbtest
May 21 19:28:44 host3 sshd[6744]: pam_krb5[6744]: authentication fails for
'kerbtest' (kerbtest@TEST.EXAMPLE.COM): Authentication failure (Input/output error)
May 21 09:58:47 host3 kernel: SELinux: initialized (dev 0:16, type nfs), uses
May 21 19:28:47 host3 sshd[6744]: pam_krb5[6744]: account checks fail for
'kerbtest': unknown reason 5 (Input/output error)
May 21 19:28:49 host3 unix_chkpwd[6749]: password check failed for user (kerbtest)
May 21 19:28:49 host3 sshd[6744]: pam_krb5[6744]: authentication succeeds for
'kerbtest' (kerbtest@TEST.EXAMPLE.COM)
Comment 3 Martin Poole 2007-06-18 06:43:12 EDT
$ more pam.d/sshd
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

]$ more pam.d/system-auth 
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
session     optional      /lib/security/$ISA/pam_ldap.so
Comment 6 RHEL Product and Program Management 2007-11-28 23:18:50 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 14 errata-xmlrpc 2008-07-24 15:55:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.