Bug 486256 - keyboard-interactive auth does not cache Kerberos credentials
keyboard-interactive auth does not cache Kerberos credentials
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssh (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-18 22:51 EST by James Ralston
Modified: 2009-03-30 04:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-30 04:37:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Ralston 2009-02-18 22:51:11 EST
(I'm filing against openssh, but I suspect this might be a pam_krb5 issue.)

If I use:

openssh-4.3p2-29.el5
pam_krb5-2.2.14-10

on an ssh server with these sshd options:

PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes

And these PAM modules:

auth        required      pam_env.so
auth        requisite     pam_succeed_if.so uid >= 0 quiet
auth        [default=ignore success=3] pam_succeed_if.so uid >= 1000 uid <61000 quiet
auth        [default=ignore success=2] pam_succeed_if.so uid > 61999 quiet
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=4]   pam_deny.so
auth        [authinfo_unavail=ignore success=1 default=2] pam_krb5.so debug use_first_pass
auth        [default=2 success=done] pam_ccreds.so action=validate use_first_pass
auth        [default=done] pam_ccreds.so action=store
auth        [default=bad] pam_ccreds.so action=update
auth        required      pam_deny.so

Then although "password" authentication properly stashes the Kerberos credentials, "keyboard-interactive" authentication does not.

This is trivial to test from a client:

$ ssh -o PreferredAuthentications=keyboard-interactive rhel5host.example.org 'echo x${KRB5CCNAME}x; sleep 3'
Password for joeuser@EXAMPLE.ORG: 
xx

But: 

$ ssh -o PreferredAuthentications=password rhel5host.example.org 'echo x${KRB5CCNAME}x; sleep 3'
joeuser@rhel5host.example.org's password: 
xFILE:/tmp/krb5cc_1000_HPTOMXx

I have tested both with and without PrivilegeSeparation, but it makes no difference in the results.

However, when a Fedora 10 box is the server, the Kerberos credentials are cached properly with both password and keyboard-interactive authentication.

When I enable pam_krb5 debugging for all services, I see that the logs are mostly the same. However, the Fedora 10 logs contain this very illuminating snippet:

Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v5 credentials from shared memory segment 141656097
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v4 credential state from shared memory segment 141688866
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v5 shared memory segment 141656097 creator pid 5710
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing shared memory segment 141656097 belonging to process 5710
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v4 shared memory segment 141688866 creator pid 5710
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing shared memory segment 141688866 belonging to process 5710
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: creating v5 ccache for 'joeuser', uid=1000, gid=1000
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0' for internal use
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: copied credentials from "MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0" to "FILE:/tmp/krb5cc_1000_dK5708" for the user, destroying "MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0"
Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: created v5 ccache 'FILE:/tmp/krb5cc_1000_TOZdDz' for 'joeuser'

I have not studied the source yet, but my guess is that pam_krb5-2.3.2-1.fc10 (Fedora) jumps through hoops to preserve the credentials when keyboard-interactive is in use, and that the hoop-jumping code was added after pam_krb5-2.2.14-10 (on RHEL5), but Red Hat hasn't backported it to RHEL5.

Is that what is happening here? If so, is there any way to get credential caching working for keyboard-interactive authentication on RHEL5 hosts?
Comment 1 James Ralston 2009-03-06 12:47:35 EST
Cross-filed as Red Hat Service Request 1901374.
Comment 2 Nalin Dahyabhai 2009-03-06 15:19:45 EST
(In reply to comment #0)
> However, when a Fedora 10 box is the server, the Kerberos credentials are
> cached properly with both password and keyboard-interactive authentication.
> 
> When I enable pam_krb5 debugging for all services, I see that the logs are
> mostly the same. However, the Fedora 10 logs contain this very illuminating
> snippet:
> 
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v5 credentials
> from shared memory segment 141656097
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: recovered v4 credential
> state from shared memory segment 141688866
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v5 shared memory
> segment 141656097 creator pid 5710
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing
> shared memory segment 141656097 belonging to process 5710
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: removing v4 shared memory
> segment 141688866 creator pid 5710
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: cleanup function removing
> shared memory segment 141688866 belonging to process 5710
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: creating v5 ccache for
> 'joeuser', uid=1000, gid=1000
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: saving v5 credentials to
> 'MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0' for internal use
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: copied credentials from
> "MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0" to
> "FILE:/tmp/krb5cc_1000_dK5708" for the user, destroying
> "MEMORY:_pam_krb5_tmp_s_joeuser@EXAMPLE.ORG-0"
> Feb 18 22:27:37 f10host sshd[5708]: pam_krb5[5708]: created v5 ccache
> 'FILE:/tmp/krb5cc_1000_TOZdDz' for 'joeuser'
> 
> I have not studied the source yet, but my guess is that pam_krb5-2.3.2-1.fc10
> (Fedora) jumps through hoops to preserve the credentials when
> keyboard-interactive is in use, and that the hoop-jumping code was added after
> pam_krb5-2.2.14-10 (on RHEL5), but Red Hat hasn't backported it to RHEL5.
> 
> Is that what is happening here? If so, is there any way to get credential
> caching working for keyboard-interactive authentication on RHEL5 hosts?  

I believe you're right here.  I'm pretty sure that setting "use_shmem = sshd" in /etc/krb5.conf's [appdefaults] "pam" subsection will do the right thing here.  We started setting this as the default in 2.2.15, so that's what's going on in Fedora 10, but I don't think we've brought that back to RHEL5 yet.

Can you verify that when you make this change, the right thing starts happening?
Comment 3 James Ralston 2009-03-06 17:21:30 EST
Confirmed; with "use_shmem = sshd", keyboard-interactive authentication properly stashes credentials.

As an added bonus, not only does keyboard-interactive stash the credentials, but it obeys the ccache_dir setting, which neither the gssapi-with-mic nor password authentications does; see bug 487439.
Comment 4 Tomas Mraz 2009-03-30 04:37:14 EDT
As this is just a matter of configuration I am closing the bug report.

Note You need to log in before you can comment on or make changes to this bug.