Bug 244641 - Problem for ssh for kerberos users with PermitEmptyPasswords yes
Problem for ssh for kerberos users with PermitEmptyPasswords yes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
4.5
All Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks: 244645 246627
  Show dependency treegraph
 
Reported: 2007-06-18 06:31 EDT by Martin Poole
Modified: 2010-10-22 11:42 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0712
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:55:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Martin Poole 2007-06-18 06:31:38 EDT
Description of problem:

While running sshd with "PermitEmptyPasswords yes" in RHEL4, kerberos users
can't ssh if the .ssh/authorized_keys of the  kerberos user has the public key
of the source user in it.

Version-Release number of selected component (if applicable):

pam_krb5-2.1.8-1

How reproducible:

Always

Steps to Reproduce:
1- Set up an ldap server. Add a user to ldap database without sepcifying
"userPassword" attribute.
2 - Set up a kerberos server. Add the same user to kerberos database and set up
a password.
3 - Take an rhel4 system. Run "authconfig" and specify the ldap server for name
service and kerberos for authentication.
4- Edit /etc/ssh/sshd_config and set.

PermitEmptyPasswords yes

Restart sshd.

5 - Take another system. Create an ssh key using "ssh-keygen -t dsa". Append
that key to the ~/.ssh/authorized_keys of the kerberos user.

6 - SSH to the rhel4 system from the client machine. It would prompt you for the
password, but it would never allow the log in.

  
Actual results:

$ ssh kerbtest@10.1.2.3
kerbtest@10.1.2.3's password:
Permission denied, please try again.
kerbtest@10.1.2.3's password:
Permission denied, please try again.
kerbtest@10.1.2.3's password:
Permission denied (publickey,gssapi-with-mic,password)

Expected results:

$ ssh kerbtest@10.1.2.3
[kerbtest@10.1.2.3 kerbtest]$

Additional info:

RHEL3 and RHEL5 works as expected.

May 21 19:28:44 host3 unix_chkpwd[6746]: password check failed for user (kerbtest)
May 21 19:28:44 host3 sshd(pam_unix)[6744]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=dhcp1-100.example.com  user=kerbtest
May 21 19:28:44 host3 sshd[6744]: pam_krb5[6744]: authentication fails for
'kerbtest' (kerbtest@TEST.EXAMPLE.COM): Authentication failure (Input/output error)
May 21 09:58:47 host3 kernel: SELinux: initialized (dev 0:16, type nfs), uses
genfs_contexts
May 21 19:28:47 host3 sshd[6744]: pam_krb5[6744]: account checks fail for
'kerbtest': unknown reason 5 (Input/output error)
May 21 19:28:49 host3 unix_chkpwd[6749]: password check failed for user (kerbtest)
May 21 19:28:49 host3 sshd[6744]: pam_krb5[6744]: authentication succeeds for
'kerbtest' (kerbtest@TEST.EXAMPLE.COM)
Comment 3 Martin Poole 2007-06-18 06:43:12 EDT
$ more pam.d/sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

]$ more pam.d/system-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
session     optional      /lib/security/$ISA/pam_ldap.so
Comment 6 RHEL Product and Program Management 2007-11-28 23:18:50 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 errata-xmlrpc 2008-07-24 15:55:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0712.html

Note You need to log in before you can comment on or make changes to this bug.