Obtain Kerberos ticket automatically upon SSH login with PAM

Eric Shell eshell at soe.ucsc.edu
Thu Aug 27 17:20:27 UTC 2015 

Hi folks,

I'm trying to get a nice and tidy login process that authenticates users
via LDAP and also automatically grabs a kerberos ticket so they can
immediately mount Kerberized NFSv4 exports without bothering to kinit.  My
/etc/pam.d/system configuration is working for console logins, but I can't
get it working for SSH logins even when using basically the same chain.

With the debug argument to my pam_krb5.so line, I am getting this error in
/var/log/debug.log for SSH logins:

sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5:
pam_sm_setcred(): failed to retrieve user credentials

Searching for that error on Google turns up a thread from 2013 that seems
to indicate that the problem lies with OpenSSH.  Is that true?  If so, is
there any way to make this work?



/etc/pam.d/system:

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok

# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass



/etc/pam.d/sshd:

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
auth optional pam_krb5.so debug try_first_pass
auth sufficient pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

More information about the freebsd-questions mailing list