Karen Eldredge <[email protected]> writes: > We recently just updated the pam-krb5 supplied by Russ Allbery from 3.10 > to 3.15 and since the update we are not able to ssh as root. Has anyone > seen this behavior before? Here are the contents of /var/log/messages. > It should be ignoring root, but from this log it seems to be failing at > pam_sm_authenticate & pam_setcred . Any help would be appreciated.
> Sep 1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: ignoring root user > Sep 1 09:53:55 sprftp sshd[29205]: (pam_krb5): none: pam_sm_setcred: exit > (ignore) > Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred() > called > Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): username=[root] > Sep 1 09:53:55 sprftp sshd[29205]: pam_unix2(sshd:setcred): pam_sm_setcred: > PAM_SUCCESS > Sep 1 09:53:55 sprftp sshd[29205]: fatal: PAM: pam_setcred(): The return > value should be ignored by PAM dispatch Sorry I hadn't gotten a chance to reply to your message on this. I believe you're running into this problem documented in the README: If you use a more complex configuration with the Linux PAM [] syntax for the session and account groups, note that pam_krb5 returns a status of ignore, not success, if the user didn't log on with Kerberos. You may need to handle that explicitly with ignore=ignore in your action list. except with setcred instead of with the session or account groups. I'd have to see your PAM configuration to be sure, though. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
