From owner-freebsd-questions@FreeBSD.ORG Mon Dec 12 10:04:05 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A21A106564A for ; Mon, 12 Dec 2011 10:04:05 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 203548FC16 for ; Mon, 12 Dec 2011 10:04:04 +0000 (UTC) Received: by bkbzv15 with SMTP id zv15so6670565bkb.13 for ; Mon, 12 Dec 2011 02:04:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=twIgDFY+N2+eqsoibg7iG4pV4AN++DglE3jAFDmL7QU=; b=KrvUL40lrbWUDTZAokATEWDtrS7mVwWqK1u4BvJ+wb0vtQr7oNeSaqpVQFlUWEvY74 SF8IIfE2D1j6CfUeqgD553IqTl/HWdznrnq/M9SIS8WVw1ln2v3CjqiHm4Z+B6+UHhkP SCTYROr7M7+5YTXMNLQ9DTypZA3D/4vb60NmI= Received: by 10.204.155.65 with SMTP id r1mr9165590bkw.110.1323682817760; Mon, 12 Dec 2011 01:40:17 -0800 (PST) Received: from green.tandem.local (utwig.xim.bz. [91.216.237.46]) by mx.google.com with ESMTPS id l5sm30300546bkv.9.2011.12.12.01.40.16 (version=SSLv3 cipher=OTHER); Mon, 12 Dec 2011 01:40:16 -0800 (PST) Message-ID: <4EE5CBFE.9050908@gmail.com> Date: Mon, 12 Dec 2011 11:40:14 +0200 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111111 Thunderbird/8.0 MIME-Version: 1.0 To: Matt Mullins References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: PAM configuration to allow passwords from both Unix and Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 10:04:05 -0000 10.12.2011 04:22, Matt Mullins wrote: > For my systems, the canonical source of authentication information is > a Kerberos server, but I also want to support old-fashioned Unix > passwords for a handful of users (including myself) just in case the > Kerberos system is unreachable. I'm having a bit of trouble adjusting > to the semantics of FreeBSD's PAM configuration, it seems. The > following is what I have tried in /etc/pam.d/sshd: > > auth optional pam_deny.so > auth sufficient pam_unix.so no_warn try_first_pass > auth sufficient pam_krb5.so no_warn try_first_pass Why you just haven't changed the last line to `required`? > This does what I want: tries Unix authentication, and for most users, > then goes and tries Kerberos authentication. However, it also seems > to allow access if the module does something other than success or > failure: I hit ^D at the SSH password prompt and it grants me access! > Adding "debug" to these lines doesn't seem to get anything additional > logged, so I'm actually not sure why PAM ends up with a success code > somewhere. > > I flipped this logic around and did: > > auth sufficient pam_unix.so no_warn > auth sufficient pam_krb5.so no_warn try_first_pass > auth required pam_deny.so That's not what you want. Read pam_deny(8). It has no use for real world scenarios except when something goes weird. > This does exactly what I want for services like sudo, that just use > pam_authenticate(), but since "sufficient" is equivalent to "optional" > in pam_setcred(), sshd fails all authentications with: > Dec 9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred(): > failed to retrieve user credentials > > I am completely stumped how to get this behavior working for both > pam_authenticate and pam_setcred calls. Can someone enlighten me what > a more normal way to do this would be? Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything related to kerberos? That's quite simple unlike managing `su`. -- Sphinx of black quartz judge my vow.