From owner-freebsd-stable Wed May 23 16:21: 9 2001 Delivered-To: freebsd-stable@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id F138B37B423 for ; Wed, 23 May 2001 16:21:05 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from shade.nectar.com (gw.nectar.com [208.42.49.153]) by gw.nectar.com (Postfix) with ESMTP id 5BB6318C9B; Wed, 23 May 2001 18:21:05 -0500 (CDT) Received: (from nectar@localhost) by shade.nectar.com (8.11.3/8.11.3) id f4NNL4h05455; Wed, 23 May 2001 18:21:04 -0500 (CDT) (envelope-from nectar) Date: Wed, 23 May 2001 18:21:04 -0500 From: "Jacques A. Vidrine" To: Peter Losher Cc: freebsd-stable@freebsd.org Subject: Re: OpenSSH and Krb5, FreeBSD style... Message-ID: <20010523182104.C2431@shade.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Peter Losher , freebsd-stable@freebsd.org References: <20010523164412.A540@shade.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Peter.Losher@nominum.com on Wed, May 23, 2001 at 03:42:49PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, May 23, 2001 at 03:42:49PM -0700, Peter Losher wrote: > > > Bad news, UW-IMAP suffers from the same linker problem . Also, SSHD > > > refuses to take any Krb5 authentication, tkt or password. > > > > I'm confused -- above you said that it `seems to work fine' with the > > v1 protocol. Which SSHD are you talking about here? > > That was the client on the box going out to other SSHD's (SSH Inc's SSH) > on other servers; it worked fine. However, if I tried ssh'ing into the > box, it refuses to take either my Kerberos ticket or entered password > (Krb5 passwd) It is still not clear to me what SSHD you are talking about. Let me try another approach: are both client and server the FreeBSD OpenSSH built as part of a world with MAKE_KERBEROS5=yes? This is the environment which I know works. > This is what I have under sshd in /etc/pam.conf (should it be in another > file?): I use a /etc/pam.d/... layout. Same difference. > -=- > sshd auth sufficient pam_krb5.so try_first_pass > sshd auth required pam_unix.so > sshd account sufficient pam_krb5.so try_first_pass > sshd account required pam_unix.so > sshd session sufficient pam_krb5.so try_first_pass > sshd session required pam_unix.so > sshd session required pam_permit.so > -=- Looks ok. > And this is what I get after typing my Krb5 passwd: > > -=- > May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_open_session > May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_close_session > May 23 15:41:19 web1 /kernel: pid 319 (sshd), uid 0: exited on signal 11 > -=- The `unable to resolve symbol' messages are harmless: the pam_krb5 module doesn't do session management. I'd need a backtrace to guess what the segment violation is about. I just double-checked on a fairly fresh 4.3-RELEASE machine, newly installed Heimdal port + pam_krb5 port, and it works as expected. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message