From owner-freebsd-questions@FreeBSD.ORG Tue Dec 13 08:58:34 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 269F0106566B for ; Tue, 13 Dec 2011 08:58:34 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id AFA8A8FC12 for ; Tue, 13 Dec 2011 08:58:33 +0000 (UTC) Received: by eaaf13 with SMTP id f13so1353268eaa.13 for ; Tue, 13 Dec 2011 00:58:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=+mMpGlnwzDnsy9ufh2ZuHKLBVJNH5GGLV2jvZsBY4aE=; b=S7ryxR6aUW0nbFvfEWR++QywFp0bn2bUODG6qRvsHiubqJOCdgdWpo/kKMtVAF41mb Sop2tdpwecZBFBFHeFoLnA1RkiTO89v6bsX/MVyKJLThd/vlOZlhtqC/9uv7WM4PWPKM vFtpLheFNLtdrFn8vBMha6BdamflL8678KkwM= Received: by 10.14.19.3 with SMTP id m3mr3987935eem.3.1323766712620; Tue, 13 Dec 2011 00:58:32 -0800 (PST) Received: from green.tandem.local (utwig.xim.bz. [91.216.237.46]) by mx.google.com with ESMTPS id 54sm7830570eeo.10.2011.12.13.00.58.29 (version=SSLv3 cipher=OTHER); Tue, 13 Dec 2011 00:58:30 -0800 (PST) Message-ID: <4EE713B3.7000401@gmail.com> Date: Tue, 13 Dec 2011 10:58:27 +0200 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111111 Thunderbird/8.0 MIME-Version: 1.0 To: Matt Mullins References: <4EE5CBFE.9050908@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: PAM configuration to allow passwords from both Unix and Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 08:58:34 -0000 12.12.2011 20:35, Matt Mullins wrote: > On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko wrote: >> 10.12.2011 04:22, Matt Mullins wrote: >>> auth optional pam_deny.so >>> auth sufficient pam_unix.so no_warn try_first_pass >>> auth sufficient pam_krb5.so no_warn try_first_pass >> >> >> Why you just haven't changed the last line to `required`? > > I did try that, but I omitted it due to completely failing behavior. > pam_krb5.so returns failure during pam_setcred() if the user did not > log in with Kerberos credentials, whereas pam_unix.so succeeds as long > as the uid exists (I'm using nss_ldap for that part, so all the uids > do indeed exist). Thus, pam_unix.so will work with "required", but > pam_krb5.so won't. > >> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything >> related to kerberos? That's quite simple unlike managing `su`. > > That's pretty much what I did. I'm a little unhappy since pam_krb5.so > is before pam_unix.so in the list, so if the KDC goes down I have to > wait for a time-out to log in to my system... but that's always better > than letting anyone in :) So how about: auth sufficient pam_unix.so no_warn try_first_pass auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass -- Sphinx of black quartz judge my vow.