SSH works with expired Kerberos Password

kerberospamssh

I have setup SSH – single sign on using kerberos V5. When a user password has expired , it returns 'Warning: password has expired.' and allows the user to login! I even made changes in the /etc/pam.d/password-auth such that pam_krb5.so comes above pam_unix.so:

Auth stack:

auth        requisite     pam_krb5.so uid >= 500

#Google authentication configuration module
auth        [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth        requisite  pam_google_authenticator.so


auth        [success=1 default=ignore]  pam_unix.so nullok try_first_pass
auth        required      pam_deny.so
auth        requisite     pam_succeed_if.so uid >= 0 quiet

Account stack:

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so uid >= 500
account required pam_permit.so

Please suggest any changes to prevent users with expired passwords from login.

LOG :

krb5kdc.log

Jun 03 11:34:29 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: CLIENT KEY EXPIRED: testyoga@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Password has expired
Jun 03 11:34:47 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: ISSUE: authtime 1464933887, etypes {rep=18 tkt=18 ses=18}, testyoga@EXAMPLE.COM for kadmin/changepw@EXAMPLE.COM –

/var/log/auth.log

/var/log/auth.log : /var/log/auth.log : pam_krb5[24516]: authentication succeeds for 'testyoga' (testyoga@EXAMPLE.COM) –

Best Answer

Edit:

Based on the contents of the provided account stack, it looks like pam_krb5.so will be skipped if pam_localuser.so succeeds. This is the most likely cause of the password aging restrictions not being applied.

Here's what we know so far:

The logged messages confirm that the user's password has expired.
pam_krb5 succeeds in authentication despite this.

I suspect your problem is that you don't have the account stack properly configured. There are a few different implementations of pam_krb5 out there, and not all of them implement the password aging check inside of the auth stack:

http://linux.die.net/man/8/pam_krb5

When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos 5 credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module deletes the ticket files. When the application requests account management, if the module did not participate in authenticating the user, it will signal libpam to ignore the module. If the module did participate in authenticating the user, it will check for an expired user password and verify the user's authorization using the .k5login file of the user being authenticated, which is expected to be accessible to the module.

The job of the account stack is to enforce access policies, regardless of whether the authentication was successful. This is important, as the auth stack is frequently bypassed when using key based authentication. It is up to individual developers to decide whether password aging should also result in a failure when calling the module in the auth context.

Conversely, the pam_krb5 implementation maintained by Russ Allbery (my preferred one) would have caught this in the auth stack.

https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html

account

Provides an implementation of pam_acct_mgmt(). All it does is do the same authorization check as performed by the pam_authenticate() implementation described above.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Ssh returns “Bad owner or permissions on ~/.ssh/config”

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Best Answer

Edit:

Related Solutions

Ssh – How to automate SSH login with password

Ssh returns “Bad owner or permissions on ~/.ssh/config”

Related Topic