OSX and Kerberos

jnojr · December 9, 2013, 1:57pm

Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from:

# sshd: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

To:

# sshd: auth account password session
auth       sufficient     pam_krb5.so try_first_pass default_principal
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

And /etc/pam.d/sudo from:

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

To:

# sudo: auth account password session
auth       sufficient     pam_krb5.so try_first_pass default_principal
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Also to uncomment / add the following lines in /etc/sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePam yes

This results in two issues. One is that /tmp/ fills up with dozens or hundreds of krb5cc-XXXXXX files The other is that sudo attempts always fail on the first attempt with the error:

Dec  9 10:45:56 aria sudo[93207]: krb5_sendto_context is called on main thread, its a blocking api
Dec  9 10:45:56 aria sudo[93207]: in pam_sm_authenticate(): Kerberos 5 error

To top that off, they still complain about "invalid credentials" on some hosts. I have a very strong feeling that they know less about Kerberos than I do, which is saying something, as I don't know much more than how to spell it I tried klist, but could't get anything more useful than:

klist: krb5_cc_get_principal: No credentials cache file found

Googling hasn't helped me... the references I can find to those errors are nonspecific and usually include others (like "Kerberos refuses you" or something).

Any assistance appreciated!