Re: Integrated Login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The most optimized configuration I have reached is as follows.
Thank you for the help !!

sshd

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny > auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

auth        required      pam_env.so
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


Ido Levy

On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> Hello,
>
> Following your advice I have successfully setup integrated login for
> ssh.
> I got both AFS token and Kerberos 5 ticket.
>
> Following are the PAM files of sshd and system-auth:
> I have a few questions regarding the setup of sshd PAM file that looks
> a little strange for me although it's working and satisfy my needs.
>
> sshd

Here is my recommendation - try if that works:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny >
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        required      pam_krb5.so
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux