Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 May 2005 08:53:21 -0700 (PDT)
From:      Damian Sobieralski <dsobiera@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Kerberos
Message-ID:  <20050509155321.89400.qmail@web50408.mail.yahoo.com>
In-Reply-To: <20050506040544.3DFFE16A4D3@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

  Anyone?

Message: 20
Date: Thu, 5 May 2005 15:26:11 -0700 (PDT)
From: Damian Sobieralski <dsobiera@yahoo.com>
Subject: Re: Kerberos
To: freebsd-questions@freebsd.org
Message-ID: <20050505222611.56762.qmail@web50401.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii


> PAM does not map well to Kerberos, unfortunately. Generally speaking
> you want to avoid PAM with Kerberos if you can possibly use native
> Kerberos
> :-)

 It seems my ignorance is kicking in here- how would they log into the
machine first, to issue "kinit"/native if I don't use PAM to get them
INTO the machine? 

> I haven't used pam_krb5 in a long time, but perhaps I can help debug
> things. Can you post your PAM configure for however it is that you're
> logging in? (SSH, local console, kerberos telnet, etc). The ccache=
> option to the PAM module looks applicable, for example.

 I just modified the /etc/pam.d/sshd file (only using kerberos for
sshd):

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      pam_krb5.so             no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass

# account
account         required        pam_login_access.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

# password
password        required        pam_unix.so             no_warn
try_first_pass


 I wasn't using ccache but I looked it up and tried.  I put in a goofy
filename and when I do a kdestory, logout, log back in and do a klist,
I don't see my weird filename.  It still is looking for /tmp/krbcc_
one.

auth            sufficient      pam_krb5.so             no_warn
try_first_pass ccache=/tmp/bubba_u%u_p%p

 When I log in via pam and ssh, with this change shouldn't I see from
klist /tmp/bubba_u... as my ticket error not the no ticket found with
the /tmp/kbrcc ?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050509155321.89400.qmail>