[8123] in Release_7.7_team
Re: locked out of my debathena workstation
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Mon Mar 16 19:09:16 2015
From: Jonathon Weiss <jweiss@mit.edu>
To: Jonathan D Reed <jdreed@mit.edu>
cc: Quentin Smith <quentin@mit.edu>,
Alexander Chernyakhovsky <achernya@mit.edu>,
Alex T Prengel <alexp@mit.edu>,
"release-team\@mit.edu" <release-team@mit.edu>
In-reply-to: Your message of "Sun\, 15 Mar 2015 01\:11\:45 -0000."
<9220E3AA-D0FD-4733-81F6-39BE72276DC7@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Date: Mon, 16 Mar 2015 19:09:08 -0400
Message-id: <20150316t190908p65519damsjw@speaker-for-the-dead.mit.edu>
Content-Transfer-Encoding: 8bit
Just to clarify, I've only been doing notifications for:
* dialup users' null instances
* user principals (regardless of instance) that are in ops managed .k5logins
-- Jonathon
Jonathan D Reed <jdreed@mit.edu> wrote:
> Oh, good call. That would make sense. Unfortunately, there’s no root password for Alex to trivially log in and fix this. We can reboot into single-user mode in person on Monday, of course. I vaguely wonder if bumping the key in kadmin would trigger a different failure in pam_krb5, such that Alex could log in, but I suspect not.
>
> If this turns out to be the cause, we’ll definitely need to do some outreach (e.g. what jweiss has been doing with dialup users’ non-null instances) before this goes into production, I guarantee there are other machines out there which are in a similar state. Can a principal always getprinc itself? I assume running kadmin in the maintainer script is a terrible idea…
>
> -Jon
>
>
> On Mar 14, 2015, at 8:47 PM, Quentin Smith <quentin@mit.edu> wrote:
>
> > It looks like Alex's host/dit.mit.edu principal is still single-DES; I'm guessing this failure is because pam_krb5 is trying to get a service ticket to protect from the Zanarotti attack.
> >
> > --Quentin
> >
> > On Sat, 14 Mar 2015, Alex Chernyakhovsky wrote:
> >
> >> I checked on mkc, which is a fully updated alpha workstation (development) and had no issues.
> >> Workstations take updates automatically, so you may have had the update happen while you where logged in.
> >> -Alex
> >> On Sat, Mar 14, 2015, 8:24 PM Alex Prengel <alexp@mit.edu> wrote:
> >> So Jon's reply answers this? But since I was logged in for a week at the
> >> time the problem started I couldn't have taken an update that might have
> >> caused this anyway.
> >>
> >> A.
> >>
> >> On 03/14/2015 12:35 PM, Alex Chernyakhovsky wrote:
> >> > Hi,
> >> >
> >> > On Friday, Ben Kaduk moved a new copy of kerberos-config to proposed.
> >> > I believe that will affect the beta workstations; the notable change
> >> > is that allow_weak_crypto got turned off. Is your Athena password by
> >> > any chance still using DES-only? That would explain these symptoms.
> >> >
> >> > Sincerely,
> >> > -Alex
> >> >
> >> > On Sat, Mar 14, 2015 at 11:25 AM, Alex T Prengel <alexp@mit.edu> wrote:
> >> >> Hi,
> >> >>
> >> >> I'm suddenly unable to log into my desktop machine (dit.mit.edu), debathena
> >> >> workstation running Precise, since yesterday afternoon. I get
> >> >> "authentication failure" on a graphical login attempt, a ctrl-alt-f1
> >> >> terminal login attempt, and ssh attempts from other machines. I'm able to
> >> >> log into other Athena machines, both locally and by ssh without problems.
> >> >> I'm not sure if or when an update might have triggered this as I was logged
> >> >> into the machine continuously since last Monday.
> >> >>
> >> >> Has anyone else seen this on beta workstations?
> >> >>
> >> >>
> >> >> Alex
>
