PAM configuration to allow passwords from both Unix and Kerberos

Matt Mullins mokomull at
Sat Dec 10 02:50:50 UTC 2011

For my systems, the canonical source of authentication information is
a Kerberos server, but I also want to support old-fashioned Unix
passwords for a handful of users (including myself) just in case the
Kerberos system is unreachable.  I'm having a bit of trouble adjusting
to the semantics of FreeBSD's PAM configuration, it seems.  The
following is what I have tried in /etc/pam.d/sshd:

auth optional
auth sufficient no_warn try_first_pass
auth sufficient no_warn try_first_pass

This does what I want: tries Unix authentication, and for most users,
then goes and tries Kerberos authentication.  However, it also seems
to allow access if the module does something other than success or
failure: I hit ^D at the SSH password prompt and it grants me access!
Adding "debug" to these lines doesn't seem to get anything additional
logged, so I'm actually not sure why PAM ends up with a success code

I flipped this logic around and did:

auth sufficient no_warn
auth sufficient no_warn try_first_pass
auth required

This does exactly what I want for services like sudo, that just use
pam_authenticate(), but since "sufficient" is equivalent to "optional"
in pam_setcred(), sshd fails all authentications with:
Dec  9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred():
failed to retrieve user credentials

I am completely stumped how to get this behavior working for both
pam_authenticate and pam_setcred calls.  Can someone enlighten me what
a more normal way to do this would be?
Matt Mullins

More information about the freebsd-questions mailing list