Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 101361
| Summary: | RHSA-2003:222-01 breaks active directory authenticated KRB5 PAM | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Need Real Name <m.keir> |
| Component: | openssh | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED DUPLICATE | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | alfred.hovdestad, lcole, m.a.young, mleary, psr, rcgraves, redhat |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-02-21 18:57:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Agreed here. Bad patch needs to be rolled back. Same failures with ssh v1 and ssh v2, with or without X11 forwarding. /usr/sbin/sshd -D -d -d dies with a segfault. debug1: userauth-request for user rcgraves service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password Segmentation fault debug1: Calling cleanup 0x8070d70(0x0) Possible dupe at bug 101183 I am having the same problem on several machines. Temporary workaround: I have not full investigated the security implications of this, but you can enable "Do not require Kerberos Preauthentication" in your AD accounts to get around this. There are two other possible workarounds, downgrade openssh to the previous package, or upgrade the krb5 libraries to the copy on rawhide, though in the latter case you will probably have to upgrade several other packages as well. I have another workaround/some more information. I found that the new rpm works with a Sun krb5 server but not a Windows DC. If I change my krb5.conf to authenticate against a Sun krb5 server, I can login with ssh. If I use the Windows DC, ssh fails. However, I can still login at the console with the Windows krb5 server, and I can still generate a krb5 ticket (kinit) with the Windows DC. Ditto for the Sun. It is only ssh that fails with the Windows DC. This appears to be fixed with the latest update to openssh.
Alfred
*** This bug has been marked as a duplicate of 101183 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |
Description of problem: application of RHSA-2003:222-01 (upgrade to SSH) seems to break the use of KRB5 PAM authentication for SSH logins. It is possible to log in as root but not as a user. The session is immediately terminated by the daemon. Version-Release number of selected component (if applicable): known broken on RH7.2 and 8.0 as per advisory. How reproducible: apply patches. set machine to authenticate users using KRB5 with an active directory domain controller as the KRB5 server Steps to Reproduce: 1. apply patches 2. set machine to authenticate users using KRB5 with an active directory domain controller as the KRB5 server 3. ssh to machine as user - fails 4. use authconfig to unset KRB5 authentication 5. ssh to machine as user - works Actual results: Expected results: Additional info: rollback to previous version of SSH on affected machines works