Scott Silva wrote:
>
> on 4-15-2008 10:17 AM Jason Pyeron spake the following:
> >
> >Ross S. W. Walker wrote:
> >>
> >> Well what you have will only cover console logins via the login
> >> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> >>
> >> Try this:
> >>
> >> /etc/pam.d/system-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth optional pam_group.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 500 quiet
> >> auth sufficient pam_krb5.so use_first_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so broken_shadow
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 500 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_cracklib.so try_first_pass retry=3
> >> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> >> password sufficient pam_krb5.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> >> silent
> >> session required pam_limits.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_krb5.so
> >>
> >
> > Hmm, it worked for su -l but not ssh logins ....
> >
> >
> > Making progress.
>
> Do you have ssh set to use pam?
>
Excellent point.
Do you have it set in /etc/ssh/sshd_config, like such:
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
-Ross
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
