OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Matthias Gerstner Matthias.Gerstner at nefkom.net
Wed Dec 7 08:18:53 EST 2005


> It also looks like it depends on if sshd was compled with  --with-kerberos5
> It looks like in auth-passwd.c in auth_password() will call
> auth_krb5_password before the test for use_pam. auth_krb5_password calls
> Kerberos directly. (I am looking at OpenSSH-4.1p1)
> 
> So in effect it could try the Kerberos password twice once via auth_krb5_password
> and once via pam_krb5. I think we have seen this, but never knew why!

Just to keep the topic up to date: I've solved the issue with
"Credentials cache permission incorrect" when using OpenSSH's internal
kerberos support.

The problem was caused implicitly by the underlying Active-Directory in
our system. Because the Active-Directory only allows read access to the
user data in LDAP when the user is already authenticated to the AD we
have a keberos keytab entry on every machine that allows getting a
ticket for a kind of init user.

To get access to LDAP data a valid ticket for this init user is needed.
This ticket is obtained automatically from system scripts. OpenSSH wants
to have read access to that ticket which is found in /tmp/krb5cc_0

Permissions for /tmp/krb5cc_0 are by default 600 and owner:group is
root:root. But the ssh process runs as sshd user and has no access to
the ticket file. When the ticket is world readable the login works
perfectly.

I'll test the process of using LDAP and the service principal keytab
entry soon as well. Unfortunately I have no access to the
Active-Directory and have to wait till I get the keytab from the
responsible person.

Greetings,

Matthias Gerstner




More information about the openssh-unix-dev mailing list