Red Hat Bugzilla – Bug 86324
pam_krb5 minimum_uid doesn't work
Last modified: 2007-04-18 12:52:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823
Description of problem:
# grep pam_krb /etc/pam.d/system-auth
auth sufficient /lib/security/pam_krb5.so minimum_uid=15 use_first_pass
password required /lib/security/pam_krb5.so use_authtok minimum_uid=15
session sufficient /lib/security/pam_krb5.so minimum_uid=15
Then when I try to login via ssh as root:
pam_krb5: authenticate error: Clients credentials have been revoked (-1765328366)
pam_krb5: authentication fails for `root'
Failed password for root from x.x.x.x port 48196 ssh2
If minimum_uid doesn't try the UID, then how does it know the credentials have
been revoked? I have disabled all 'standard' accounts like root
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.set the minimum_uid and try to login
Expected Results: pam_krb5 ignores that user and drops to next module
I also have reproduced this problem. It allows logins for default accounts
like rpm if someone with AD rights feels like creating one.
Nevermind. I figured out that it belongs in [appdefaults] / pam =
in /etc/krb5.conf and seems to work fine there.
Shouldn't it be a RedHat default? And shouldn't it be 100 and not 15? The rpm
user is wide open at uid 37.