[35954] in Kerberos

home help back first fref pref prev next nref lref last post

Re: root login via Kerberos5 - "User not known to the underlying

daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Mar 29 16:45:22 2014

From: Russ Allbery <eagle@eyrie.org>
To: Wendy Lin <wendlin1974@gmail.com>
In-Reply-To: <CA+j=ERouC8YuQsiCfb5DxEng__asBkQ8xwX4i=Kf4YPeDf31Lw@mail.gmail.com>
	(Wendy Lin's message of "Sat, 29 Mar 2014 14:01:07 +0100")
Date: Sat, 29 Mar 2014 13:44:10 -0700
Message-ID: <87ioqw3fc5.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Wendy Lin <wendlin1974@gmail.com> writes:

> I turned on pam_krb5 debugging and received this in /var/log/messages:

> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
> returning "User not known to the underlying authentication module"

> What does this mean?

Based on the debugging output, I think you're using the Red Hat PAM
module, which I don't know a lot about.  But just taking a wild guess, I
wonder if that module is declining to authenticate root to a principal
named root for some reason.

That configuration is rather unusual (I don't recall anyone else doing
it), and usually would constitude a potential security vulnerability where
someone who could create arbitrary principals in the KDC could gain local
root access on any system using Kerberos.  (There are some environments,
where Kerberos use is less central, where local root access is more secure
than the KDCs, or at least is in a different authentication domain that
shouldn't allow lateral movement.)

With my PAM module, the ignore_root and minimum_uid configuration options
control this behavior.  I'm not sure off-hand if the PAM module you're
using has similar settings.

-- 
Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post