PAM configuration to allow passwords from both Unix and Kerberos
ferrao at if.ufrj.br
Sat May 24 21:38:03 UTC 2014
Hello guys, I’m trying to understand why this answer from 2011 on this list is a good way to solve the problem.
It’s strange to have two pam_unix.so lines in the same scope:
12.12.2011 20:35, Matt Mullins wrote:
> On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko<c.kworr at gmail.com> wrote:
>> 10.12.2011 04:22, Matt Mullins wrote:
>>> auth optional pam_deny.so
>>> auth sufficient pam_unix.so no_warn try_first_pass
>>> auth sufficient pam_krb5.so no_warn try_first_pass
>> Why you just haven't changed the last line to `required`?
> I did try that, but I omitted it due to completely failing behavior.
> pam_krb5.so returns failure during pam_setcred() if the user did not
> log in with Kerberos credentials, whereas pam_unix.so succeeds as long
> as the uid exists (I'm using nss_ldap for that part, so all the uids
> do indeed exist). Thus, pam_unix.so will work with "required", but
> pam_krb5.so won't.
>> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything
>> related to kerberos? That's quite simple unlike managing `su`.
> That's pretty much what I did. I'm a little unhappy since pam_krb5.so
> is before pam_unix.so in the list, so if the KDC goes down I have to
> wait for a time-out to log in to my system... but that's always better
> than letting anyone in :)
So how about:
auth sufficient pam_unix.so no_warn try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
Thanks in advance,
More information about the freebsd-questions