[35956] in Kerberos
Re: root login via Kerberos5 - "User not known to the underlying
daemon@ATHENA.MIT.EDU (Wendy Lin)
Sat Mar 29 17:09:50 2014
MIME-Version: 1.0
In-Reply-To: <87ioqw3fc5.fsf@windlord.stanford.edu>
Date: Sat, 29 Mar 2014 22:09:34 +0100
Message-ID: <CA+j=ERqqhrQB6-d1k26odNiTmpmSUS3=e6dbvzwF9v_61JifHw@mail.gmail.com>
From: Wendy Lin <wendlin1974@gmail.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 29 March 2014 21:44, Russ Allbery <eagle@eyrie.org> wrote:
> Wendy Lin <wendlin1974@gmail.com> writes:
>
>> I turned on pam_krb5 debugging and received this in /var/log/messages:
>
>> pam_krb5[3808]: user 'root' was not authenticated by pam_krb5,
>> returning "User not known to the underlying authentication module"
>
>> What does this mean?
>
> Based on the debugging output, I think you're using the Red Hat PAM
> module, which I don't know a lot about. But just taking a wild guess, I
> wonder if that module is declining to authenticate root to a principal
> named root for some reason.
>
> That configuration is rather unusual (I don't recall anyone else doing
> it), and usually would constitude a potential security vulnerability where
> someone who could create arbitrary principals in the KDC could gain local
> root access on any system using Kerberos. (There are some environments,
> where Kerberos use is less central, where local root access is more secure
> than the KDCs, or at least is in a different authentication domain that
> shouldn't allow lateral movement.)
KDC here is controlled by root, and root on all machines is all the
same person, so in our case its not a problem
> With my PAM module, the ignore_root and minimum_uid configuration options
> control this behavior. I'm not sure off-hand if the PAM module you're
> using has similar settings.
strings /lib64/security/pam_krb5.so | fgrep ignore_root
yields no matches.
/etc/krb5.conf has these entries for pam:
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 0
clockskew = 300
external = sshd
use_shmem = sshd
debug = true
}
Wendy
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
