Package: libpam-krb5 Version: 3.11-4 Severity: important
Ever since I upgraded to Lenny, I cannot use GSSAPI to log in over SSH, and the problem seems to be with pam_krb5. When I turn on debug logging on it through PAM, I get the following messages: Feb 21 23:25:23 sosumi sshd[2506]: Authorized to fredrik, krb5 principal [email protected] (krb5_kuserok) Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: pam_sm_acct_mgmt: entry (0x0) Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: skipping non-Kerberos login Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: pam_sm_acct_mgmt: exit (failure) Feb 21 23:25:23 sosumi sshd[2507]: fatal: Access denied for user fredrik by PAM account configuration This is weird, though, because looking at the source, it seems it should work differently. Apparently, it does correctly detect that it was not used for authentication, and the corresponding part of the source looks like this: if (pamret != PAM_SUCCESS || args->ctx == NULL) { pamret = PAM_IGNORE; pamk5_debug(args, "skipping non-Kerberos login"); goto done; } [...] done: EXIT(args, pamret); pamk5_args_free(args); return pamret; } The EXIT macro looks like this: #define EXIT(args, pamret) \ pamk5_debug((args), "%s: exit (%s)", __func__, \ ((pamret) == PAM_SUCCESS) ? "success" \ : (((pamret) == PAM_IGNORE) ? "ignore" : "failure")) So, apparently, pamret is set to PAM_IGNORE, but even in spite of that, the function exits with some pamret different from PAM_SUCCESS or PAM_IGNORE, even though there's no code in between. I have not yet been able to find it why, but I will continue debugging. Additionally, this particular output is from a PPC machine, but the same thing happens on my i386 machines. -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: powerpc (ppc) Kernel: Linux 2.6.26-1-powerpc Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-krb5 depends on: ii krb5-config 1.22 Configuration files for Kerberos V ii libc6 2.7-18 GNU C Library: Shared libraries ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries ii libpam0g 1.0.1-5 Pluggable Authentication Modules l libpam-krb5 recommends no packages. libpam-krb5 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
