PAM configuration to allow passwords from both Unix and Kerberos
Volodymyr Kostyrko
c.kworr at gmail.com
Mon Dec 12 10:04:05 UTC 2011
10.12.2011 04:22, Matt Mullins wrote:
> For my systems, the canonical source of authentication information is
> a Kerberos server, but I also want to support old-fashioned Unix
> passwords for a handful of users (including myself) just in case the
> Kerberos system is unreachable. I'm having a bit of trouble adjusting
> to the semantics of FreeBSD's PAM configuration, it seems. The
> following is what I have tried in /etc/pam.d/sshd:
>
> auth optional pam_deny.so
> auth sufficient pam_unix.so no_warn try_first_pass
> auth sufficient pam_krb5.so no_warn try_first_pass
Why you just haven't changed the last line to `required`?
> This does what I want: tries Unix authentication, and for most users,
> then goes and tries Kerberos authentication. However, it also seems
> to allow access if the module does something other than success or
> failure: I hit ^D at the SSH password prompt and it grants me access!
> Adding "debug" to these lines doesn't seem to get anything additional
> logged, so I'm actually not sure why PAM ends up with a success code
> somewhere.
>
> I flipped this logic around and did:
>
> auth sufficient pam_unix.so no_warn
> auth sufficient pam_krb5.so no_warn try_first_pass
> auth required pam_deny.so
That's not what you want. Read pam_deny(8). It has no use for real world
scenarios except when something goes weird.
> This does exactly what I want for services like sudo, that just use
> pam_authenticate(), but since "sufficient" is equivalent to "optional"
> in pam_setcred(), sshd fails all authentications with:
> Dec 9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred():
> failed to retrieve user credentials
>
> I am completely stumped how to get this behavior working for both
> pam_authenticate and pam_setcred calls. Can someone enlighten me what
> a more normal way to do this would be?
Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment
anything related to kerberos? That's quite simple unlike managing `su`.
--
Sphinx of black quartz judge my vow.
More information about the freebsd-questions
mailing list