FYI: Kerberos on RHEL5 - Kerberos

This is a discussion on FYI: Kerberos on RHEL5 - Kerberos ; Hi Everyone, This is a heads-up for anyone using kerberos on RedHat Enterprise Linux 5. I just solved a problem that's been a royal pain for me. I had console and gdm logins working fine for RHEL5 and I got ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: FYI: Kerberos on RHEL5

  1. FYI: Kerberos on RHEL5

    Hi Everyone,

    This is a heads-up for anyone using kerberos on RedHat Enterprise Linux
    5.

    I just solved a problem that's been a royal pain for me.

    I had console and gdm logins working fine for RHEL5 and I got kerberos
    single-signon working for ssh, but I had trouble getting password
    authenticaio working. It would accept my kerberos password, but I would
    have any tickets or tokens.

    To solve my problem, I had to enable the use_shmem option in
    /etc/krb5.conf. for use with sshd.

    Here is the appdefaults section of my /etc/krb5.conf:
    [appdefaults]
    pam = {
    afs_cells = mycell.com
    ccache_dir = /tmp
    forwardable = true
    tokens = sshd
    external = sshd
    use_shmem = sshd
    }

    This was extremely irritating because my previous config files work on
    RHEL5 beta2.

    I can now login using kerberos credentials on console or ssh.

    There are some quirks. sshd take about 5-10 seconds to login, it seems
    to pause just after the "opening session" debug message in the secure
    log. It also grabs a kerberos 4 ticket and gets tokens, but it doesn't
    have a ticket for the afs service principal in the ticket cache.

    Anyways, my stuff works now and I'm happy for the moment. I just wanted
    to document this to save others the pain.

    Sincerely,
    Jason Edgecombe
    Solaris & Linux Administrator
    Mosaic Computing Group, College of Engineering
    UNC-Charlotte
    Phone: (704) 687-3514


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: FYI: Kerberos on RHEL5

    Edgecombe, Jason writes:

    > This is a heads-up for anyone using kerberos on RedHat Enterprise Linux
    > 5.


    > I just solved a problem that's been a royal pain for me.


    > I had console and gdm logins working fine for RHEL5 and I got kerberos
    > single-signon working for ssh, but I had trouble getting password
    > authenticaio working. It would accept my kerberos password, but I would
    > have any tickets or tokens.


    > To solve my problem, I had to enable the use_shmem option in
    > /etc/krb5.conf. for use with sshd.


    This is because the Red Hat PAM module tries to use PAM data to pass
    information between the auth module and the session module, which OpenSSH
    breaks due to its weird PAM handling.

    If you use:



    you shouldn't have this problem and you shouldn't have to use shared
    memory hacks to work around it. (I personally would rather use a
    temporary file cache than a shared memory cache because it's a hell of a
    lot easier to debug when something goes wrong. But mileage may vary.)

    I'm always interested in any shortcomings of my module that has people
    still using other PAM modules for reasons other than "I want to use the
    one that comes with the OS" and will try to fix them as I have time.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. RE: FYI: Kerberos on RHEL5

    Thanks.

    I might try that.

    Are there any rpms for your pam_krb5?

    Thanks,
    Jason

    Jason Edgecombe
    Solaris & Linux Administrator
    Mosaic Computing Group, College of Engineering
    UNC-Charlotte
    Phone: (704) 687-3514


    -----Original Message-----
    From: Russ Allbery [mailto:rra@stanford.edu]
    Sent: Friday, April 06, 2007 2:47 PM
    To: Edgecombe, Jason
    Cc: kerberos@mit.edu
    Subject: Re: FYI: Kerberos on RHEL5

    Edgecombe, Jason writes:

    > This is a heads-up for anyone using kerberos on RedHat Enterprise

    Linux
    > 5.


    > I just solved a problem that's been a royal pain for me.


    > I had console and gdm logins working fine for RHEL5 and I got kerberos
    > single-signon working for ssh, but I had trouble getting password
    > authenticaio working. It would accept my kerberos password, but I

    would
    > have any tickets or tokens.


    > To solve my problem, I had to enable the use_shmem option in
    > /etc/krb5.conf. for use with sshd.


    This is because the Red Hat PAM module tries to use PAM data to pass
    information between the auth module and the session module, which
    OpenSSH
    breaks due to its weird PAM handling.

    If you use:



    you shouldn't have this problem and you shouldn't have to use shared
    memory hacks to work around it. (I personally would rather use a
    temporary file cache than a shared memory cache because it's a hell of a
    lot easier to debug when something goes wrong. But mileage may vary.)

    I'm always interested in any shortcomings of my module that has people
    still using other PAM modules for reasons other than "I want to use the
    one that comes with the OS" and will try to fix them as I have time.

    --
    Russ Allbery (rra@stanford.edu)


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: FYI: Kerberos on RHEL5

    Edgecombe, Jason writes:

    > I might try that.


    > Are there any rpms for your pam_krb5?


    Not yet, unfortunately, at least public ones. There are Stanford-internal
    ones, though. Here is the spec file that we use internally, if it's of
    any help. You'll need to change some of the package names.

    It's a very simple package.

    %define vers 3.4
    # Define global variables here
    %define rel %(cat /etc/redhat-release | cut -d' ' -f7)
    # Define source files here although the tag comes later
    %define source0 pam-krb5-%{vers}.tar.gz
    # 64bit work-around
    %define mylibdir lib

    Name: pam_krb5-SU
    Summary: pam-krb5 provides a Kerberos v5 PAM module that supports authentication, user ticket cache handling, simple authorization, and password changing.
    Version: %{vers}
    Release: 1.EL%{rel}
    Copyright: MIT
    Group: System Environment/Base
    Source0: http://archives.eyrie.org/software/kerberos/%{source0}
    BuildRoot: /var/tmp/%{name}-buildroot
    Vendor: Stanford University
    Conflicts: pam_krb5

    BuildRequires: pam-devel

    # no i386 builds unless we have to
    %ifarch i386
    BuildArch: i686
    %endif
    # 64bit work-around
    %ifarch x86_64
    %define mylibdir lib64
    %endif

    URL: http://www.stanford.edu/

    %description
    pam-krb5 provides a Kerberos v5 PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking Kerberos principals against local usernames), and password changing.
    For RedHat systems, add these lines to the top of the /etc/pam.d/system-auth file sections for auth, account and session respectively:
    auth sufficient /%{mylibdir}/security/pam_krb5.so ignore_root minimum_uid=1000
    account required /%{mylibdir}/security/pam_krb5.so ignore_root minimum_uid=1000
    session optional /%{mylibdir}/security/pam_krb5.so ignore_root minimum_uid=1000

    %prep
    %setup -n pam-krb5-%{version}

    %build
    ../configure
    env CFLAGS="-O2" make RPM_OPT_FLAGS="$RPM_OPT_FLAGS"

    %install
    if [[ $RPM_BUILD_ROOT != "/" ]]
    then
    rm -rf $RPM_BUILD_ROOT
    fi

    mkdir -p $RPM_BUILD_ROOT/%{mylibdir}/security/
    mkdir -p $RPM_BUILD_ROOT/usr/share/man/man5

    #make install DESTDIR=$RPM_BUILD_ROOT
    install -m 0755 pam_krb5.so $RPM_BUILD_ROOT/%{mylibdir}/security/pam_krb5.so
    install -m 0644 pam_krb5.5 $RPM_BUILD_ROOT/usr/share/man/man5/pam_krb5.5


    %clean
    if [[ $RPM_BUILD_ROOT != "/" ]]
    then
    rm -rf $RPM_BUILD_ROOT
    fi

    %files
    %defattr(-,root,root)
    /%{mylibdir}/security/*
    /usr/share/man/man5/*

    %post

    %preun

    %postun

    %changelog
    * Thu Feb 1 2007 Darren Patterson 3.4-1
    - updated to 3.4

    * Thu Jan 18 2007 Darren Patterson 3.2-1
    - updated to 3.2

    * Fri Jan 5 2007 Darren Patterson 3.1-1
    - updated to 3.1

    * Tue Dec 6 2006 Darren Patterson 2.6-1
    - updated to 2.6

    * Fri Nov 11 2006 Darren Patterson 2.5-1
    - updated to 2.5

    * Wed Nov 1 2006 Darren Patterson 2.4-2
    - fix bug with inserting arch in documentation

    * Mon Oct 9 2006 Darren Patterson 2.4-1
    - update to 2.4

    * Wed Oct 4 2006 Darren Patterson 2.3-1
    - new source release, 64bit cleanup for work-around

    * Mon Aug 14 2006 Darren Patterson 2.0-1
    - initial build

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread