[8119] in Release_7.7_team
Re: locked out of my debathena workstation
daemon@ATHENA.MIT.EDU (Jonathan D Reed)
Sat Mar 14 21:11:53 2015
From: Jonathan D Reed <jdreed@mit.edu>
To: Quentin Smith <quentin@mit.edu>
CC: Alexander Chernyakhovsky <achernya@mit.edu>,
Alex T Prengel
<alexp@mit.edu>,
"release-team@mit.edu" <release-team@mit.edu>
Date: Sun, 15 Mar 2015 01:11:45 +0000
Message-ID: <9220E3AA-D0FD-4733-81F6-39BE72276DC7@mit.edu>
In-Reply-To: <alpine.DEB.2.02.1503142046050.3957@team-rocket.mit.edu>
Content-Language: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <49BD1C1E4E370A469D3C2E9D50FB2B16@exchange.mit.edu>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Oh, good call. That would make sense. Unfortunately, there’s no root password for Alex to trivially log in and fix this. We can reboot into single-user mode in person on Monday, of course. I vaguely wonder if bumping the key in kadmin would trigger a different failure in pam_krb5, such that Alex could log in, but I suspect not.
If this turns out to be the cause, we’ll definitely need to do some outreach (e.g. what jweiss has been doing with dialup users’ non-null instances) before this goes into production, I guarantee there are other machines out there which are in a similar state. Can a principal always getprinc itself? I assume running kadmin in the maintainer script is a terrible idea…
-Jon
On Mar 14, 2015, at 8:47 PM, Quentin Smith <quentin@mit.edu> wrote:
> It looks like Alex's host/dit.mit.edu principal is still single-DES; I'm guessing this failure is because pam_krb5 is trying to get a service ticket to protect from the Zanarotti attack.
>
> --Quentin
>
> On Sat, 14 Mar 2015, Alex Chernyakhovsky wrote:
>
>> I checked on mkc, which is a fully updated alpha workstation (development) and had no issues.
>> Workstations take updates automatically, so you may have had the update happen while you where logged in.
>> -Alex
>> On Sat, Mar 14, 2015, 8:24 PM Alex Prengel <alexp@mit.edu> wrote:
>> So Jon's reply answers this? But since I was logged in for a week at the
>> time the problem started I couldn't have taken an update that might have
>> caused this anyway.
>>
>> A.
>>
>> On 03/14/2015 12:35 PM, Alex Chernyakhovsky wrote:
>> > Hi,
>> >
>> > On Friday, Ben Kaduk moved a new copy of kerberos-config to proposed.
>> > I believe that will affect the beta workstations; the notable change
>> > is that allow_weak_crypto got turned off. Is your Athena password by
>> > any chance still using DES-only? That would explain these symptoms.
>> >
>> > Sincerely,
>> > -Alex
>> >
>> > On Sat, Mar 14, 2015 at 11:25 AM, Alex T Prengel <alexp@mit.edu> wrote:
>> >> Hi,
>> >>
>> >> I'm suddenly unable to log into my desktop machine (dit.mit.edu), debathena
>> >> workstation running Precise, since yesterday afternoon. I get
>> >> "authentication failure" on a graphical login attempt, a ctrl-alt-f1
>> >> terminal login attempt, and ssh attempts from other machines. I'm able to
>> >> log into other Athena machines, both locally and by ssh without problems.
>> >> I'm not sure if or when an update might have triggered this as I was logged
>> >> into the machine continuously since last Monday.
>> >>
>> >> Has anyone else seen this on beta workstations?
>> >>
>> >>
>> >> Alex