Date: Mon, 12 Dec 2011 11:40:14 +0200 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: Matt Mullins <mokomull@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: PAM configuration to allow passwords from both Unix and Kerberos Message-ID: <4EE5CBFE.9050908@gmail.com> In-Reply-To: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com> References: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
10.12.2011 04:22, Matt Mullins wrote: > For my systems, the canonical source of authentication information is > a Kerberos server, but I also want to support old-fashioned Unix > passwords for a handful of users (including myself) just in case the > Kerberos system is unreachable. I'm having a bit of trouble adjusting > to the semantics of FreeBSD's PAM configuration, it seems. The > following is what I have tried in /etc/pam.d/sshd: > > auth optional pam_deny.so > auth sufficient pam_unix.so no_warn try_first_pass > auth sufficient pam_krb5.so no_warn try_first_pass Why you just haven't changed the last line to `required`? > This does what I want: tries Unix authentication, and for most users, > then goes and tries Kerberos authentication. However, it also seems > to allow access if the module does something other than success or > failure: I hit ^D at the SSH password prompt and it grants me access! > Adding "debug" to these lines doesn't seem to get anything additional > logged, so I'm actually not sure why PAM ends up with a success code > somewhere. > > I flipped this logic around and did: > > auth sufficient pam_unix.so no_warn > auth sufficient pam_krb5.so no_warn try_first_pass > auth required pam_deny.so That's not what you want. Read pam_deny(8). It has no use for real world scenarios except when something goes weird. > This does exactly what I want for services like sudo, that just use > pam_authenticate(), but since "sufficient" is equivalent to "optional" > in pam_setcred(), sshd fails all authentications with: > Dec 9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred(): > failed to retrieve user credentials > > I am completely stumped how to get this behavior working for both > pam_authenticate and pam_setcred calls. Can someone enlighten me what > a more normal way to do this would be? Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything related to kerberos? That's quite simple unlike managing `su`. -- Sphinx of black quartz judge my vow.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EE5CBFE.9050908>