Date: Mon, 12 Dec 2011 10:35:53 -0800 From: Matt Mullins <mokomull@gmail.com> To: Volodymyr Kostyrko <c.kworr@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: PAM configuration to allow passwords from both Unix and Kerberos Message-ID: <CAPyT1SEeTvLejgy2jPwP9UyuOQ2s9B%2Bhnm%2BGrOqvNfnQ_bXEfA@mail.gmail.com> In-Reply-To: <4EE5CBFE.9050908@gmail.com> References: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com> <4EE5CBFE.9050908@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko <c.kworr@gmail.com> wro= te: > 10.12.2011 04:22, Matt Mullins wrote: >> auth optional =A0 pam_deny.so >> auth sufficient pam_unix.so no_warn try_first_pass >> auth sufficient pam_krb5.so no_warn try_first_pass > > > Why you just haven't changed the last line to `required`? I did try that, but I omitted it due to completely failing behavior. pam_krb5.so returns failure during pam_setcred() if the user did not log in with Kerberos credentials, whereas pam_unix.so succeeds as long as the uid exists (I'm using nss_ldap for that part, so all the uids do indeed exist). Thus, pam_unix.so will work with "required", but pam_krb5.so won't. > Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything > related to kerberos? That's quite simple unlike managing `su`. That's pretty much what I did. I'm a little unhappy since pam_krb5.so is before pam_unix.so in the list, so if the KDC goes down I have to wait for a time-out to log in to my system... but that's always better than letting anyone in :) Thanks for your help, Matt Mullins
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyT1SEeTvLejgy2jPwP9UyuOQ2s9B%2Bhnm%2BGrOqvNfnQ_bXEfA>