Obtain Kerberos ticket automatically upon SSH login with PAM

Eric Shell eshell at soe.ucsc.edu
Thu Aug 27 22:08:21 UTC 2015 

To answer my own question, it turns out that the pam_krb5 module included
with FreeBSD simply cannot do it.  The security/pam_krb5 port works
perfectly, however.

On Thu, Aug 27, 2015 at 10:20 AM, Eric Shell <eshell at soe.ucsc.edu> wrote:

> Hi folks,
>
> I'm trying to get a nice and tidy login process that authenticates users
> via LDAP and also automatically grabs a kerberos ticket so they can
> immediately mount Kerberized NFSv4 exports without bothering to kinit.  My
> /etc/pam.d/system configuration is working for console logins, but I can't
> get it working for SSH logins even when using basically the same chain.
>
> With the debug argument to my pam_krb5.so line, I am getting this error in
> /var/log/debug.log for SSH logins:
>
> sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5:
> pam_sm_setcred(): failed to retrieve user credentials
>
> Searching for that error on Google turns up a thread from 2013 that seems
> to indicate that the problem lies with OpenSSH.  Is that true?  If so, is
> there any way to make this work?
>
>
>
> /etc/pam.d/system:
>
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> auth optional pam_krb5.so debug try_first_pass
> auth sufficient pam_ldap.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth required pam_unix.so no_warn try_first_pass nullok
>
> # account
> #account required pam_krb5.so
> account required pam_login_access.so
> account required pam_unix.so
>
> # session
> #session optional pam_ssh.so want_agent
> session required pam_lastlog.so no_fail
>
> # password
> #password sufficient pam_krb5.so no_warn try_first_pass
> password required pam_unix.so no_warn try_first_pass
>
>
>
> /etc/pam.d/sshd:
>
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> #auth requisite pam_opieaccess.so no_warn allow_local
> auth optional pam_krb5.so debug try_first_pass
> auth sufficient pam_ldap.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth required pam_unix.so no_warn try_first_pass
>
> # account
> account required pam_nologin.so
> #account required pam_krb5.so
> account required pam_login_access.so
> account required pam_unix.so
>
> # session
> #session optional pam_ssh.so want_agent
> session required pam_permit.so
>
> # password
> #password sufficient pam_krb5.so no_warn try_first_pass
> password required pam_unix.so no_warn try_first_pass
>



-- 
Eric Shell
Apple & Google Apps Administrator
Baskin School of Engineering
UC Santa Cruz
831 459 4919

More information about the freebsd-questions mailing list