PAM and SSH configuration issues
Ray Seals
rseals at vdsi.net
Tue Sep 28 10:21:58 PDT 2004
Hi,
I have a FreeBSD 5.2.1 box vanilla install. I want to configure ssh to
use pam_tacplus to do the authentication.
My ssh file in the /etc/pam directory looks like this:
%<--------------------------------------------------------------------->%
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_tacplus.so debug
try_first_pass
#auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
%<--------------------------------------------------------------------->%
Sometimes this works and sometimes it doesn't work properly. I have a
couple of questions. For example, for my userid it works like it should
but for the guy in the cube from me, it still requires his old local
password.
- Once this is working, can I delete the userids our of the passwd file?
- As long as the userid is in the groups will SU still work for those
users?
- Will the user still map to their proper home directory?
- I guess that it's a good idea to keep a userid on the box that is
non-root but is still stored local in case of any problems?
--
Ray Seals <rseals at vdsi.net>
More information about the freebsd-questions
mailing list