From nobody@FreeBSD.ORG Thu Oct 14 08:10:57 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 7508D14F6B; Thu, 14 Oct 1999 08:10:57 -0700 (PDT)
Message-Id: <19991014151057.7508D14F6B@hub.freebsd.org>
Date: Thu, 14 Oct 1999 08:10:57 -0700 (PDT)
From: randy@psg.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: kerberos4 pam-related breakage in current
X-Send-Pr-Version: www-1.0

>Number:         14326
>Category:       misc
>Synopsis:       kerberos4 pam-related breakage in current
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 14 08:20:00 PDT 1999
>Closed-Date:    Thu Jan 17 08:12:05 PST 2002
>Last-Modified:  Thu Jan 17 08:38:54 PST 2002
>Originator:     Randy Bush
>Release:        4.0-current
>Organization:
ymbk
>Environment:
FreeBSD rip.psg.com 4.0-CURRENT FreeBSD 4.0-CURRENT #0: Tue Oct 12 05:55:02 PDT 1999     root@rip.psg.com:/usr/src/sys/compile/RIP  i386

>Description:
From: Randy Bush <randy@psg.com>
To: Mark Murray <mark@grondar.za>
Subject: Re: k4 and -current
Date: Wed, 13 Oct 1999 16:27:22 -0700

> OK - duplicate all the lines in pam.conf that begin with
> "login", and replace the regex "^login" with "rlogind" for
> the duplicated case.

> Repeat except replace with "rshd".

done

    # If you want KerberosIV authentication, uncomment the next line:
    login   auth    sufficient      pam_kerberosIV.so       try_first_pass
    shell   auth    sufficient      pam_kerberosIV.so       try_first_pass
    rlogind auth    sufficient      pam_kerberosIV.so       try_first_pass
    rshd    auth    sufficient      pam_kerberosIV.so       try_first_pass

> Let me know as much as possible about the failure after
> that...

roam.psg.com:/usr/home/randy> rsh rip ls
rsh: kcmd: connection unexpectedly closed.
Login incorrect.
roam.psg.com:/usr/home/randy> rsh rip ls
rsh: kcmd: connection unexpectedly closed.
Login incorrect.
roam.psg.com:/usr/home/randy> rsh -x rip ls
rsh: kcmd: connection unexpectedly closed.
rsh: the -x flag requires Kerberos authentication
roam.psg.com:/usr/home/randy> rlogin rip
rlogin: remote host doesn't support Kerberos: Connection refused
^C
roam.psg.com:/usr/home/randy> rlogin -x rip
rlogin: krcmd_mutual: Generic kerberos error (kfailure)
rlogin: the -x flag requires Kerberos authentication

Oct 13 16:22:00 rip rshd[84249]: connect from roam.psg.com
Oct 13 16:22:00 rip rshd[84249]: no modules loaded for `rshd' service
Oct 13 16:22:00 rip rshd[84249]: auth_pam: Permission denied
Oct 13 16:22:00 rip rshd[84249]: PAM authentication failed
Oct 13 16:22:00 rip rshd[84249]: randy@roam.psg.com as randy: permission denied. cmd='ls'
Oct 13 16:22:51 rip rshd[84268]: connect from roam.psg.com
Oct 13 16:22:51 rip rshd[84268]: connection from 147.28.0.38 on illegal port 5120
Oct 13 16:22:51 rip rshd[84269]: connect from roam.psg.com
Oct 13 16:22:51 rip rshd[84269]: no modules loaded for `rshd' service
Oct 13 16:22:51 rip rshd[84269]: auth_pam: Permission denied
Oct 13 16:22:51 rip rshd[84269]: PAM authentication failed
Oct 13 16:22:51 rip rshd[84269]: randy@roam.psg.com as randy: permission denied. cmd='ls'
Oct 13 16:24:35 rip rshd[84313]: connect from roam.psg.com
Oct 13 16:24:35 rip rshd[84313]: usage: rshd [-alnDL]
Oct 13 16:24:51 rip rlogind[84326]: usage: rlogind [-Dalnx]
Oct 13 16:24:51 rip rlogind[84326]: Connection from 147.28.0.38 on illegal port

>How-To-Repeat:
kerberos 4 rlogin/rsh to a -current host	
>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: mike 
State-Changed-When: Fri Jul 20 19:09:54 PDT 2001 
State-Changed-Why:  

Does this problem still occur in newer versions of FreeBSD, 
such as 4.3-RELEASE? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=14326 
State-Changed-From-To: feedback->closed 
State-Changed-By: sheldonh 
State-Changed-When: Thu Jan 17 08:12:05 PST 2002 
State-Changed-Why:  
Automatic feedback timeout.  If additional feedback that warrants 
the re-opening of this PR is available but not included in the 
audit trail, please include the feedback in a reply to this message 
(preserving the Subject line) and ask that the PR be re-opened. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=14326 
>Unformatted:
