From owner-freebsd-questions@FreeBSD.ORG Sat Dec 10 02:50:50 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A06C8106564A for ; Sat, 10 Dec 2011 02:50:50 +0000 (UTC) (envelope-from mokomull@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 3A80C8FC12 for ; Sat, 10 Dec 2011 02:50:49 +0000 (UTC) Received: by wgbdr11 with SMTP id dr11so6828042wgb.31 for ; Fri, 09 Dec 2011 18:50:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=LzGUvL9UuQWNI2qLgEgpPSqWB3gsyvRl9phAxB8D9mU=; b=sEzt6YIJOXtZxI/AKhjw6pbmhRcLLKs9WTvSQqyx2lurGagd7MuFWmO28YZsfK5wSX cfZit5tGTey+hDGxmfiu3eh5h1fMdz6er+BubeSrQEOtq8jT+xZpsOG8KJTb3mTJyjoL lSq1mIiRTTjrQOKh3SmUxEyIsCiY87GU7M//g= MIME-Version: 1.0 Received: by 10.227.207.136 with SMTP id fy8mr8389605wbb.16.1323483761507; Fri, 09 Dec 2011 18:22:41 -0800 (PST) Received: by 10.223.154.135 with HTTP; Fri, 9 Dec 2011 18:22:41 -0800 (PST) Date: Fri, 9 Dec 2011 18:22:41 -0800 Message-ID: From: Matt Mullins To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: PAM configuration to allow passwords from both Unix and Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2011 02:50:50 -0000 For my systems, the canonical source of authentication information is a Kerberos server, but I also want to support old-fashioned Unix passwords for a handful of users (including myself) just in case the Kerberos system is unreachable.=A0 I'm having a bit of trouble adjusting to the semantics of FreeBSD's PAM configuration, it seems.=A0 The following is what I have tried in /etc/pam.d/sshd: auth optional=A0=A0 pam_deny.so auth sufficient pam_unix.so no_warn try_first_pass auth sufficient pam_krb5.so no_warn try_first_pass This does what I want: tries Unix authentication, and for most users, then goes and tries Kerberos authentication.=A0 However, it also seems to allow access if the module does something other than success or failure: I hit ^D at the SSH password prompt and it grants me access! Adding "debug" to these lines doesn't seem to get anything additional logged, so I'm actually not sure why PAM ends up with a success code somewhere. I flipped this logic around and did: auth sufficient pam_unix.so no_warn auth sufficient pam_krb5.so no_warn try_first_pass auth required=A0=A0 pam_deny.so This does exactly what I want for services like sudo, that just use pam_authenticate(), but since "sufficient" is equivalent to "optional" in pam_setcred(), sshd fails all authentications with: Dec=A0 9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred(): failed to retrieve user credentials I am completely stumped how to get this behavior working for both pam_authenticate and pam_setcred calls.=A0 Can someone enlighten me what a more normal way to do this would be? -- Matt Mullins