Obtain Kerberos ticket automatically upon SSH login with PAM
Eric Shell
eshell at soe.ucsc.edu
Thu Aug 27 17:20:27 UTC 2015
Hi folks,
I'm trying to get a nice and tidy login process that authenticates users
via LDAP and also automatically grabs a kerberos ticket so they can
immediately mount Kerberized NFSv4 exports without bothering to kinit. My
/etc/pam.d/system configuration is working for console logins, but I can't
get it working for SSH logins even when using basically the same chain.
With the debug argument to my pam_krb5.so line, I am getting this error in
/var/log/debug.log for SSH logins:
sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5:
pam_sm_setcred(): failed to retrieve user credentials
Searching for that error on Google turns up a thread from 2013 that seems
to indicate that the problem lies with OpenSSH. Is that true? If so, is
there any way to make this work?
/etc/pam.d/system:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
/etc/pam.d/sshd:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
More information about the freebsd-questions
mailing list