I have been trying to get the PAM Krb5 module to work for the past few days and was wondering if it would be possible for someone to point me in the right direction regarding some problems I am having. I'm using a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version 2.1.0. When I ssh into the box I can login, but whilst I get a TGT allocated (I can see it being allocated on the KDC)
Assuming you're using OpenSSH: http://bugzilla.mindrot.org/show_bug.cgi?id=688
Possible solutions:
* Compile sshd to use threads. This is the best known solution right now, but opens a whole can of thread-safety worms.
* There's a patch attached to the bug that creates the credential cache before sshd's authentication "thread" (a process, actually) exits.
* Current development versions can also do Password authentication via PAM (via a "blind" conversation function) in addition to ChallengeResponse. This happens in the immediate ancestor of the shell, so the info stashed by the module (presumably with pam_set_data()?) during authentication doesn't get lost.
> Also, I'm asked for the password three times, where I > can enter nonsense, before it prompts me for root@host password.
This is described (briefly) in the sshd_config man page description of UsePAM and the comments in sshd_config. Basically, if you want to authenticate via PAM, set "PasswordAuthentication no" in sshd_config
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
