Kerberos
Damian Sobieralski
dsobiera at yahoo.com
Mon May 9 08:53:23 PDT 2005
Anyone?
Message: 20
Date: Thu, 5 May 2005 15:26:11 -0700 (PDT)
From: Damian Sobieralski <dsobiera at yahoo.com>
Subject: Re: Kerberos
To: freebsd-questions at freebsd.org
Message-ID: <20050505222611.56762.qmail at web50401.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
> PAM does not map well to Kerberos, unfortunately. Generally speaking
> you want to avoid PAM with Kerberos if you can possibly use native
> Kerberos
> :-)
It seems my ignorance is kicking in here- how would they log into the
machine first, to issue "kinit"/native if I don't use PAM to get them
INTO the machine?
> I haven't used pam_krb5 in a long time, but perhaps I can help debug
> things. Can you post your PAM configure for however it is that you're
> logging in? (SSH, local console, kerberos telnet, etc). The ccache=
> option to the PAM module looks applicable, for example.
I just modified the /etc/pam.d/sshd file (only using kerberos for
sshd):
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth sufficient pam_krb5.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_login_access.so
account required pam_unix.so
# session
session required pam_permit.so
# password
password required pam_unix.so no_warn
try_first_pass
I wasn't using ccache but I looked it up and tried. I put in a goofy
filename and when I do a kdestory, logout, log back in and do a klist,
I don't see my weird filename. It still is looking for /tmp/krbcc_
one.
auth sufficient pam_krb5.so no_warn
try_first_pass ccache=/tmp/bubba_u%u_p%p
When I log in via pam and ssh, with this change shouldn't I see from
klist /tmp/bubba_u... as my ticket error not the no ticket found with
the /tmp/kbrcc ?
More information about the freebsd-questions
mailing list