Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from:
# sshd: auth account password session
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_sacl.so sacl_service=ssh
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session optional pam_mount.so
To:
# sshd: auth account password session
auth sufficient pam_krb5.so try_first_pass default_principal
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_sacl.so sacl_service=ssh
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session optional pam_mount.so
And /etc/pam.d/sudo from:
# sudo: auth account password session
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
To:
# sudo: auth account password session
auth sufficient pam_krb5.so try_first_pass default_principal
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
Also to uncomment / add the following lines in /etc/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePam yes
This results in two issues. One is that /tmp/ fills up with dozens or hundreds of krb5cc-XXXXXX files The other is that sudo attempts always fail on the first attempt with the error:
Dec 9 10:45:56 aria sudo[93207]: krb5_sendto_context is called on main thread, its a blocking api
Dec 9 10:45:56 aria sudo[93207]: in pam_sm_authenticate(): Kerberos 5 error
To top that off, they still complain about "invalid credentials" on some hosts. I have a very strong feeling that they know less about Kerberos than I do, which is saying something, as I don't know much more than how to spell it I tried klist, but could't get anything more useful than:
klist: krb5_cc_get_principal: No credentials cache file found
Googling hasn't helped me... the references I can find to those errors are nonspecific and usually include others (like "Kerberos refuses you" or something).
Any assistance appreciated!