I want root to be authenticated via pam_unix and everybody else to be authenticated via pam_krb5. This works:
auth sufficient pam_unix.so auth required pam_krb5.so use_first_pass
But that tries pam_unix first for all the kerberos-authenticated users. So, in order to always do either one or the other but not both, I tried this:
auth [success=2 default=ignore] pam_listfile.so \ onerr=fail item=user sense=deny file=/etc/security/auth.local auth sufficient pam_unix.so auth [default=1] pam_permit.so auth sufficient pam_krb5.so auth required pam_deny.so
along with putting root into /etc/security/auth.local
The pam_krb5 case works, but for some reason in the pam_unix case fails, and this appears in syslog:
Sep 20 18:46:06 myhost sshd[16829]: Accepted keyboard-interactive/pam for root from ::ffff:192.168.1.101 port 4024 ssh2
Sep 20 18:46:06 myhost sshd[16829]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
Can someone tell me what I'm doing wrong?
Alexey
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
