[Bug 217369] New: openssh calles pam(account) when auth with gssapi
https://bugzilla.novell.com/show_bug.cgi?id=217369 Summary: openssh calles pam(account) when auth with gssapi Product: openSUSE 10.2 Version: Beta 1 plus Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: anicka@novell.com ReportedBy: mc@novell.com QAContact: qa@suse.de When I call openssh with GSSAPI authentication the pam account module is called after GSSAPI auth was successful. This failed with: Nov 2 15:36:10 mctest sshd[20641]: Authorized to ugansert, krb5 principal tux@SUSE.DE (krb5_kuserok) Nov 2 15:36:10 mctest sshd[20641]: pam_krb5[20641]: user 'ugansert' was not authenticated by pam_krb5, returning "User not known to the underlying authentication module" Nov 2 15:36:10 mctest sshd[20641]: pam_krb5[20641]: pam_acct_mgmt returning 10 (User not known to the underlying authentication module) I think calling pam if the auth method is gssapi is simply a bug, isn't it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |mc@novell.com ------- Comment #1 from anicka@novell.com 2006-11-08 10:21 MST ------- Please attach ssh -vvv verbose output and sshd debug output. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #3 from mc@novell.com 2006-11-09 02:15 MST ------- Created an attachment (id=104429) --> (https://bugzilla.novell.com/attachment.cgi?id=104429&action=view) logfiles -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |mc@novell.com ------- Comment #4 from anicka@novell.com 2006-11-21 06:08 MST ------- As far as I can see, openssh with GSSAPI authentication calls PAM if and only if is told to do so: Does it behave this way even if you set "UsePAM no" in your sshd_config? If yes, then it is really a bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Info Provider|mc@novell.com |security-team@suse.de ------- Comment #5 from mc@novell.com 2006-11-21 06:30 MST ------- I am sure that it will not happen if UsePAM is no (test will take some time because I currently make a new installation of my test machine). But the question is what about a mixed enviroment. A company has a kerberized network and an adminitrator login from home without kerberos(gssapi). He wants to use pam (pam_krb5) to auth. Then he is in the company network has a ticket (from pam_krb5) and wants to ssh to another host with gssapi. The other host calls now pam_krb5 account module without the auth module before. This is forbidden and result in an error. => gssapi auth does not work. My understanding is "when gssapi is selected then only gssapi will be done" and not parts of a pam authentication. Maybe we ask the security-team if this is a Bug or a feature. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #6 from anicka@novell.com 2006-11-21 06:48 MST ------- Understood. I can easily make a patch disabling calling pam when using gssapi but I am afraid I cannot see all the security consequences of such patch. It is really a question for security-team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #7 from lnussel@novell.com 2006-11-27 02:22 MST ------- sounds like pam_krb5 always fails the pam_acct_mgmt function if the user was not previously authenticated by pam_krb5 itself. I don't know if that is a bug or a feature :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@novell.com ------- Comment #8 from mc@novell.com 2006-11-27 03:24 MST ------- Well, during the auth procedure krb5 might return an error which is saved inside of pam. When the account module is called, this error will be evaluated and a more specific error tell the application what exactly going wrong. For example: account expired, password expired, etc. pam_krb5 can only do this when auth was running before. I found a workaround. pam_krb5 knows the option ignore_unknown_principals in the account part. In our case it would return PAM_IGNORE instead of an error. This option is currently not supported by pam-config . So it might be a good idea to invite kukuk . Which way we want to go? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|security-team@suse.de |lnussel@novell.com ------- Comment #9 from meissner@novell.com 2007-01-12 09:10 MST ------- Something for Ludwig / Thorsten too look at. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|lnussel@novell.com |kukuk@novell.com ------- Comment #10 from lnussel@novell.com 2007-01-15 05:35 MST ------- I don't know enough about gssapi and krb5 to be able to tell whether this option makes sense. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|kukuk@novell.com | ------- Comment #11 from kukuk@novell.com 2007-01-16 03:28 MST ------- ignore_unknown_principals is on my list for pam-config. But everybody with time can add it ;-) I don't know enough about pam_krb5 to understand why they need it, none of the modules I know the code of have this dependency between auth and acct section. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #12 from ian.grant@cl.cam.ac.uk 2007-01-24 05:23 MST ------- Perhaps this should be a separate bug report, but I will see what happens if I post it here. There is another reason for adding ignore_unknown_principals to pam-config for pam_krb5 and it is that currently with YaST-configured kerberos client on openSUSE-10.2 it is not possible to install the tetex RPM! If there is a nobody user on the system then the tetex post-install needs to do something like this (from /usr/bin/texhash): su $nobody -s /bin/sh -c 'exec -a ls ls -LRa 2>/dev/null'; But: $ sudo su nobody -s /bin/bash -c id root's password: su: incorrect password The problem is that user nobody is a local user and there is no corresponding kerberos pricipal so the account required fails. Adding ignore_unknown_principals fixes this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|anicka@novell.com |jsuchome@novell.com Status|ASSIGNED |NEW ------- Comment #13 from mc@novell.com 2007-02-22 09:06 MST ------- Reassign to Jiri: Jiri: pam-config in 10.3 support now --krb5-ignore_unknown_principals Would you add this to yast2 kerberos-client please. I think it makes sence to set this option by default on. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |mc@novell.com ------- Comment #14 from jsuchome@novell.com 2007-02-22 09:11 MST ------- If it would make sense by default, that it should be enabled by default (by general pam-config --add --krb5), IMHO. For example because it could not be changed back in yast UI. Or does it make sense to not use the option? If yes, maybe there should be a checkbox in kerberos-client UI. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|mc@novell.com | ------- Comment #15 from mc@novell.com 2007-02-22 09:28 MST ------- I think is a usecase where it makes sense not to use this option:-) A checkbox would be fine. How to name it? Hmm ... Ignore unknown user during account checking .. or something like that? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |rwalter@novell.com ------- Comment #16 from jsuchome@novell.com 2007-02-23 04:56 MST ------- I used only "Ignore Unknown Users" and as a help text, "Check Ignore Unknown Users to let Kerberos ignore authentication attempts by the users it does not know." Rebecca, could you check new texts (for 10.3)? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 rwalter@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rwalter@novell.com Status|NEEDINFO |NEW Info Provider|rwalter@novell.com | ------- Comment #17 from rwalter@novell.com 2007-02-23 05:05 MST ------- s/to let/to have/ s/the users/users/ Sounds okay to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |kukuk@novell.com ------- Comment #18 from jsuchome@novell.com 2007-02-23 06:26 MST ------- I have pam-config-0.15-4, but although I tried to set both pam-config -a --krb5 --krb5-ignore_unknown_principals and pam-config -a --krb5-ignore_unknown_principals, I'm unable to query the status of --krb5-ignore_unknown_principals: pam-config -q --krb5-ignore_unknown_principals doesn't tell anything -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #19 from mc@novell.com 2007-02-26 08:26 MST ------- # rpm -q pam-config pam-config-0.15-3 # pam-config -a --krb5 # pam-config -a --krb5-ignore_unknown_principals # pam-config -q --krb5 account: ignore_unknown_principals auth: password: session: -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 ------- Comment #21 from jsuchome@novell.com 2007-02-27 01:17 MST ------- Created an attachment (id=121211) --> (https://bugzilla.novell.com/attachment.cgi?id=121211&action=view) yast2-kerberos-client Here is the package with the new checkbox for testing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217369 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #22 from jsuchome@novell.com 2007-02-27 02:11 MST ------- Fixed in yast2-kerberos-client-2.15.4 (for openSUSE 10.3) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com