Sunday, November 2, 2014

linux - error reading keytab file krb5.keytab



I've noticed these kerberos keytab error messages on both SLES 11.2 and CentOS 6.3:



sshd[31442]: pam_krb5[31442]: error reading keytab 'FILE: / etc/ krb5. keytab'


/etc/krb5.keytab does not exist on our hosts, and from what I understand of the keytab file, we don't need it. Per this kerberos keytab introduction:





A keytab is a file containing pairs of Kerberos principals and
encrypted keys (these are derived from the Kerberos password). You can
use this file to log into Kerberos without being prompted for a
password. The most common personal use of keytab files is to allow
scripts to authenticate to Kerberos without human interaction, or
store a password in a plaintext file.




This sounds like something we do not need and is perhaps better security-wise to not have it.




How can I keep this error from popping up in our system logs? Here is my krb5.conf if its useful:



banjer@myhost:~> cat /etc/krb5.conf
# This file managed by Puppet
#
[libdefaults]
        default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        default_realm = FOO.EXAMPLE.COM

        dns_lookup_kdc = true
        clockskew = 300

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {

        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
        banner = "Enter your current"
}



Let me know if you need to see any other configs. Thanks.



EDIT



This message shows up in /var/log/secure whenever a non-root user logs in via SSH or the console. It seems to only occur with password-based authentication. If I do a key-based ssh to a server, I don't see the error. If I log in with root, I do not see the error. Our Linux servers authenticate against Active Directory, so its a hearty mix of PAM, samba, kerberos, and winbind that is used to authenticate a user.


Answer



To disable keytab validation and hence suppress these log messages, add the no_validate option to your PAM settings. For example:



auth        sufficient    pam_krb5.so use_first_pass no_validate



On my CentOS 6 servers, I made this change anywhere I saw pam_krb5.so being referenced in these two files:



/etc/pam.d/password-auth-ac
/etc/pam.d/system-auth-ac


I'm sure SLES is similar, but we're phasing that OS out, so I don't plan on testing it there.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...