Re: kerberos pam_krb5.so module skiped in stack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok,

I got it.

I had to add 'UsePAM yes' to sshd_config.

Thanks for your help.

Rick

On 6/17/05, Wang, Yu <ywang@xxxxxxx> wrote:
> I would first check to make sure the SSH IS using pam not its own auth. You may want to turn on debug mode on ssh and on krb5. kinit means your krb client set up is correct. You can use telnet and a kerberos principle to test your pam stack. If it works for telnet, then it's your ssh configuration. I don't use RH so cannot test your pam stack. Mine doesn't have those 'default=bad' thing since my users are in AD.
> 
> Yu
> 
> 
> > -----Original Message-----
> > From: pam-list-bounces@xxxxxxxxxx
> > [mailto:pam-list-bounces@xxxxxxxxxx]On
> > Behalf Of Rick Blair
> > Sent: Friday, June 17, 2005 1:38 PM
> > To: pam-list@xxxxxxxxxx
> > Subject: kerberos pam_krb5.so module skiped in stack
> >
> >
> > On past versions of redhat and Fedora Core I was able to set
> > up kerberos
> >
> > authentication with pam without any problem.
> >
> > On Fedora Core 3 and now 4 I can not get it to work.  I set
> > everything
> > up as before and run kinit <user> and that works.  If I do a
> > tcp dump I
> > can see the port 88 communication occuring.
> > If I use pam and a service like sshd, I get the error: "sshd[23379]:
> > Failed password for <user>".  A tcpdump reveals no port 88
> > traffic.  It
> > looks like the pam_krb5.so module is being skipped in the pam stack.
> >
> > Here are my pam configs:
> > /etc/pam.d/sshd
> > #%PAM-1.0
> > auth       required     pam_stack.so service=system-auth debug
> > auth       required     pam_nologin.so
> > account    required     pam_stack.so service=system-auth debug
> > password   required     pam_stack.so service=system-auth degug
> > #session    required     pam_stack.so service=system-auth
> > #session    required     pam_limits.so
> > #session    optional     pam_console.so
> > session    required     pam_permit.so
> >
> >
> > cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      /lib/security/$ISA/pam_env.so
> > auth        sufficient    /lib/security/$ISA/pam_unix.so
> > likeauth nullok
> > auth        sufficient    /lib/security/$ISA/pam_krb5.so
> > use_first_pass
> > auth        required      /lib/security/$ISA/pam_deny.so
> >
> > account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> > account     sufficient
> > /lib/security/$ISA/pam_succeed_if.so uid < 100
> > quiet
> > account     [default=bad success=ok user_unknown=ignore]
> > /lib/security/$ISA/pam_krb5.so
> > account     required      /lib/security/$ISA/pam_permit.so
> >
> > password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> > use_authtok md5 shadow
> > password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
> > password    required      /lib/security/$ISA/pam_deny.so
> >
> > session     required      /lib/security/$ISA/pam_limits.so
> > session     required      /lib/security/$ISA/pam_unix.so
> > session     optional      /lib/security/$ISA/pam_krb5.so
> >
> > --
> >               -Rick
> >
> > _______________________________________________
> > 
> > Pam-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
> >
> 
> 
> _______________________________________________
> 
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux