Date: Sat, 24 May 2014 21:29:12 +0000 From: =?Windows-1252?Q?Vin=EDcius_Ferr=E3o?= <ferrao@if.ufrj.br> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: PAM configuration to allow passwords from both Unix and Kerberos Message-ID: <76ABABB0-10FA-4870-B397-373CD14E0072@if.ufrj.br>
next in thread | raw e-mail | index | archive | help
Hello guys, I=92m trying to understand why this answer from 2011 on this li= st is a good way to solve the problem. It=92s strange to have two pam_unix.so lines in the same scope: 12.12.2011 20:35, Matt Mullins wrote: > On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko<c.kworr at gmail.com>= wrote: >> 10.12.2011 04:22, Matt Mullins wrote: >>> auth optional pam_deny.so >>> auth sufficient pam_unix.so no_warn try_first_pass >>> auth sufficient pam_krb5.so no_warn try_first_pass >> >> >> Why you just haven't changed the last line to `required`? > > I did try that, but I omitted it due to completely failing behavior. > pam_krb5.so returns failure during pam_setcred() if the user did not > log in with Kerberos credentials, whereas pam_unix.so succeeds as long > as the uid exists (I'm using nss_ldap for that part, so all the uids > do indeed exist). Thus, pam_unix.so will work with "required", but > pam_krb5.so won't. > >> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anythin= g >> related to kerberos? That's quite simple unlike managing `su`. > > That's pretty much what I did. I'm a little unhappy since pam_krb5.so > is before pam_unix.so in the list, so if the KDC goes down I have to > wait for a time-out to log in to my system... but that's always better > than letting anyone in :) So how about: auth sufficient pam_unix.so no_warn try_first_pass auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Thanks in advance,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76ABABB0-10FA-4870-B397-373CD14E0072>