heimdal kerberos & ssh
Stijn Hoop
stijn at win.tue.nl
Wed Aug 31 13:19:18 GMT 2005
OK, I think I figured this out, at least partially:
On Wed, Aug 31, 2005 at 01:23:00PM +0200, Stijn Hoop wrote:
> So it seems that the authentication is working, however the TGT is not
> being saved.
It turns out that you really need to specify the 'ccache' parameter to pam_krb5
but in the correct format:
auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u
Furthermore, do not test logging in with a user that has both a local account
and a kerberos principal -- it may confuse you :-/
For the record here is the /etc/pam.d/sshd that I think works:
%%%
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u
# account
account required pam_krb5.so
account required pam_login_access.so
# session
session required pam_permit.so
# password
password required pam_krb5.so no_warn try_first_pass
%%%
However:
- I still don't get a valid cache file with a user that also has a local
password (manually doing kinit works just fine). This is really strange..
- there's a strange 2-3 second delay when logging in, that I can't explain.
It feels like some sort of timeout but I can't figure out what...
Anyone recognize this? And again, if there's someone out there with a working
setup, I'd love to see the config files.
--Stijn
--
This sentence contradicts itself -- no actually it doesn't.
-- Hofstadter
More information about the freebsd-questions
mailing list