1153076 – .k5login file ignored in GSSAPI authentication

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1153076 - .k5login file ignored in GSSAPI authentication

Summary: .k5login file ignored in GSSAPI authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-15 15:02 UTC by František Dvořák
Modified:	2014-11-14 12:10 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openssh-6.6.1p1-7.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-14 12:10:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description František Dvořák 2014-10-15 15:02:54 UTC

Description of problem:

In Fedora 21, the .k5login file is ignored by ssh server. Still, there can be used .k5users file instead.


Version-Release number of selected component (if applicable):

openssh-server-6.6.1p1-5.fc21.1.x86_64
krb5-libs-1.12.2-9.fc21.x86_64


How reproducible:
Always.


Steps to Reproduce:
0. you need machine with openssh-server and working Kerberos:
  - machine has keytab
  - machine has proper krb5.conf

2. on server: echo "YOU_PRINCIPAL@YOUR_REALM" >> ~/.k5login

3. on client: kinit YOU_PRINCIPAL@YOUR_REALM

4. on client: ssh root@SERVER


Actual results:

- ssh client asks interactively for password

- event in /var/log/audit/audit.log:
type=USER_AUTH msg=audit(1413383249.883:157): pid=769 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=gssapi acct="root" exe="/usr/sbin/sshd" hostna
me=? addr=147.228.1.32 terminal=ssh res=failed'

- 'strace /usr/sbin/sshd' doesn't show attempts to read /root/.k5login


Expected results:

- non-interactive logging in


Additional info:

Comment 1 Sumit Bose 2014-10-16 16:20:09 UTC

Looks like the default of KerberosUseKuserok option changed. I guess if you add 

KerberosUseKuserok yes

to /etc/ssh/sshd_config it should work again.

Comment 2 František Dvořák 2014-10-16 19:51:02 UTC

I see, after enabling KerberosUseKuserok it works now! Option is mentioned in sshd_config manual page. 

It looks like this beaviour change goes from Fedora (servconf.c file):

http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?id=7463b66c253822126bfb49a97b7d6b05a79cd019

Comment 3 Fedora Update System 2014-11-04 19:42:13 UTC

openssh-6.6.1p1-6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-6.fc21

Comment 4 Petr Lautrbach 2014-11-04 19:48:07 UTC

I've reverted the default value of KerberosUseKuserok back to yes in the latest update. Please provide a karma if it works for you.

Comment 5 Fedora Update System 2014-11-05 19:24:37 UTC

Package openssh-6.6.1p1-6.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-6.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-6.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-11-10 06:08:02 UTC

Package openssh-6.6.1p1-7.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-7.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14298/openssh-6.6.1p1-7.fc21
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-11-14 12:10:15 UTC

openssh-6.6.1p1-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.