Date: Thu, 27 Aug 2015 10:20:19 -0700 From: Eric Shell <eshell@soe.ucsc.edu> To: freebsd-questions@freebsd.org Subject: Obtain Kerberos ticket automatically upon SSH login with PAM Message-ID: <CAG0%2B=VJq2dQfPJ1ZgVzryZt-9_Hs%2BYkzGGhdXn8%2BjF6nWUs3CQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi folks, I'm trying to get a nice and tidy login process that authenticates users via LDAP and also automatically grabs a kerberos ticket so they can immediately mount Kerberized NFSv4 exports without bothering to kinit. My /etc/pam.d/system configuration is working for console logins, but I can't get it working for SSH logins even when using basically the same chain. With the debug argument to my pam_krb5.so line, I am getting this error in /var/log/debug.log for SSH logins: sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5: pam_sm_setcred(): failed to retrieve user credentials Searching for that error on Google turns up a thread from 2013 that seems to indicate that the problem lies with OpenSSH. Is that true? If so, is there any way to make this work? /etc/pam.d/system: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth optional pam_krb5.so debug try_first_pass auth sufficient pam_ldap.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass /etc/pam.d/sshd: # auth auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local auth optional pam_krb5.so debug try_first_pass auth sufficient pam_ldap.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG0%2B=VJq2dQfPJ1ZgVzryZt-9_Hs%2BYkzGGhdXn8%2BjF6nWUs3CQ>