PAM configuration to allow passwords from both Unix and Kerberos

Matt Mullins mokomull at
Mon Dec 12 18:35:55 UTC 2011

On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko <c.kworr at> wrote:
> 10.12.2011 04:22, Matt Mullins wrote:
>> auth optional
>> auth sufficient no_warn try_first_pass
>> auth sufficient no_warn try_first_pass
> Why you just haven't changed the last line to `required`?

I did try that, but I omitted it due to completely failing behavior. returns failure during pam_setcred() if the user did not
log in with Kerberos credentials, whereas succeeds as long
as the uid exists (I'm using nss_ldap for that part, so all the uids
do indeed exist).  Thus, will work with "required", but won't.

> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything
> related to kerberos? That's quite simple unlike managing `su`.

That's pretty much what I did.  I'm a little unhappy since
is before in the list, so if the KDC goes down I have to
wait for a time-out to log in to my system... but that's always better
than letting anyone in :)

Thanks for your help,
Matt Mullins

More information about the freebsd-questions mailing list