Kerberos 5

Damian Sobieralski dsobiera at yahoo.com
Thu May 5 09:15:32 PDT 2005


> How did you confirm that you were authenticating via Kerberos?

  ESP?  :)  You're right, I don't KNOW that.  But if I didn't set a
password when I created the user, how else would it be authenticating?

Here's my /etc/pam.d/sshd file:

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      pam_krb5.so             no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass

# account
account         required        pam_login_access.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

# password
password        required        pam_unix.so             no_warn
try_first_pass


> Do you have an environment variable like KRB5CCNAME set anywhere?

 I didn't set one so I don't think so.

> Which Kerberos are you talking about? 

 Another good question.  Whatever kerberos that cames as the default in
FreeBSD 5.3-RELEASE. I didn't install any ports at first. I'm using
whatever came as stock as a pam module in /usr/lib/pam_krb5.  klist
also seemed installed already without any ports being added.  After I
wasn't getting any ticket from klist, I installed krb5 from
/usr/ports/security/krb5 after doing a cvsup on my ports. Same result.

> use and are perhaps running into path issues (running a different
> program than you think you're running)?

 Always possible. As I said, pam_krb5 was already there after my base
install.  

  I found it weird that pam_krb5 was already there.  Is this normal? 
All I did to "enable" what I thought/think was kerberos authentication
for sshd was to set up the /etc/pam.d/sshd file like I stated above and
created a /etc/krb5.conf file.  Needless to say, I'm very new to
Kerberos and will take any advice happily.

- Damian



More information about the freebsd-questions mailing list