From owner-freebsd-questions@FreeBSD.ORG  Mon Dec 12 18:35:55 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6F95B106575D
	for <freebsd-questions@freebsd.org>;
	Mon, 12 Dec 2011 18:35:55 +0000 (UTC)
	(envelope-from mokomull@gmail.com)
Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50])
	by mx1.freebsd.org (Postfix) with ESMTP id 028298FC14
	for <freebsd-questions@freebsd.org>;
	Mon, 12 Dec 2011 18:35:54 +0000 (UTC)
Received: by wgbdr11 with SMTP id dr11so11887113wgb.31
	for <freebsd-questions@freebsd.org>;
	Mon, 12 Dec 2011 10:35:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	bh=s+XIMunYez3jx0GilTiJpj8L8fzOOknjHpXUJk27L2c=;
	b=G4uH4NcczEF0vBbcfovD4HKY6tFCYMgzSV+GTEyVctG2QITye3pe8wSlyxU/x+w8sN
	0ZLqGo/UnOQlr5/mJkzUTIdiha+LlSLvGWGvo6JiDNPVVZM+bcgt2yeNvLSpP7lNNDH2
	P4IXoW6nmaAuYI/n+6cRNYWL5RnwafMWBYWqI=
MIME-Version: 1.0
Received: by 10.216.182.193 with SMTP id o43mr3363499wem.87.1323714953930;
	Mon, 12 Dec 2011 10:35:53 -0800 (PST)
Received: by 10.223.154.135 with HTTP; Mon, 12 Dec 2011 10:35:53 -0800 (PST)
In-Reply-To: <4EE5CBFE.9050908@gmail.com>
References: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ+ffRSQ@mail.gmail.com>
	<4EE5CBFE.9050908@gmail.com>
Date: Mon, 12 Dec 2011 10:35:53 -0800
Message-ID: <CAPyT1SEeTvLejgy2jPwP9UyuOQ2s9B+hnm+GrOqvNfnQ_bXEfA@mail.gmail.com>
From: Matt Mullins <mokomull@gmail.com>
To: Volodymyr Kostyrko <c.kworr@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: PAM configuration to allow passwords from both Unix and Kerberos
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 18:35:55 -0000

On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko <c.kworr@gmail.com> wro=
te:
> 10.12.2011 04:22, Matt Mullins wrote:
>> auth optional =A0 pam_deny.so
>> auth sufficient pam_unix.so no_warn try_first_pass
>> auth sufficient pam_krb5.so no_warn try_first_pass
>
>
> Why you just haven't changed the last line to `required`?

I did try that, but I omitted it due to completely failing behavior.
pam_krb5.so returns failure during pam_setcred() if the user did not
log in with Kerberos credentials, whereas pam_unix.so succeeds as long
as the uid exists (I'm using nss_ldap for that part, so all the uids
do indeed exist).  Thus, pam_unix.so will work with "required", but
pam_krb5.so won't.

> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything
> related to kerberos? That's quite simple unlike managing `su`.

That's pretty much what I did.  I'm a little unhappy since pam_krb5.so
is before pam_unix.so in the list, so if the KDC goes down I have to
wait for a time-out to log in to my system... but that's always better
than letting anyone in :)

Thanks for your help,
Matt Mullins