difficulty using SSH Kerberos PAM Authentication with 7.1 Release
KAK BO CHE
kak.bo.che at gmail.com
Mon Feb 23 11:29:31 PST 2009
I recently did a freebsd-update to a machine running 6.3 to 7.1. I am now
having difficulty getting pam_krb5 to work as it used to for sshd
authentication.
After upgrading to 7.1 I noticed the openpam_dispatch() and
pam_sm_authenticate() errors on my console when trying to login via ssh. I
fixed these by removing the pam_nologin module from the auth list in my sshd
pam config file.
My current pam sshd configuation file is as follows:
# auth
auth required pam_krb5.so no_warn
try_first_pass
#auth required pam_unix.so no_warn
try_first_pass nullok
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
If I attempt to login with the correct kerberos credentials I get the
following error:
pam_setcred() failed to retreive user credentials
If I reenable the "auth required pam_unix.so" line and change the line
before it to "auth sufficient pam_krb5.so" I can logon with either my
kerberos or the local system password, but no other password as expected.
Unfortunately, I cannot allow local user passwords to logon to the system.
What am I doing wrong a similar setup worked with FreeBSD 6.3, but the last
authenticaion module was pam_nologin.
Thanks,
--Troy
More information about the freebsd-questions
mailing list