From owner-freebsd-questions@FreeBSD.ORG Wed Aug 31 11:23:04 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E01016A41F for ; Wed, 31 Aug 2005 11:23:04 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pastinakel.tue.nl (pastinakel.tue.nl [131.155.2.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7A3D43D45 for ; Wed, 31 Aug 2005 11:23:03 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by pastinakel.tue.nl (Postfix) with ESMTP id 6947C14BB3C for ; Wed, 31 Aug 2005 13:23:02 +0200 (CEST) Received: from pastinakel.tue.nl ([127.0.0.1]) by localhost (pastinakel.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25516-01 for ; Wed, 31 Aug 2005 13:23:00 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by pastinakel.tue.nl (Postfix) with ESMTP id 7F21D14BC9C for ; Wed, 31 Aug 2005 13:23:00 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j7VBN0j7066976 for questions@freebsd.org; Wed, 31 Aug 2005 13:23:00 +0200 (CEST) (envelope-from stijn) Date: Wed, 31 Aug 2005 13:23:00 +0200 From: Stijn Hoop To: questions@freebsd.org Message-ID: <20050831112300.GA48436@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: Subject: heimdal kerberos & ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 11:23:04 -0000 Hi, I'm trying to setup a Kerberos realm, on a 5.4-STABLE box using the base heimdal version. I have succesfully created the database and I can get a ticket using kinit. Now I'm trying to setup the ssh service so that it authenticates to the kerberos server, and so that it saves the ticket to the credentials cache. However that last point is not working: %%% [stijn@firsa] <~> grep stijnkrb /etc/passwd stijnkrb:*:1004:1004:stijn kerb test:/home/stijnkrb:/usr/local/bin/zsh [stijn@firsa] <~> ssh stijnkrb@localhost Password: Last login: Wed Aug 31 13:11:15 2005 from localhost.lzee. firsa% klist klist: No ticket file: /tmp/krb5cc_1004 %%% So it seems that the authentication is working, however the TGT is not being saved. I have modified /etc/pam.d/sshd as follows: %%% # auth auth required pam_krb5.so no_warn try_first_pass # account account required pam_krb5.so # session session required pam_permit.so # password password required pam_krb5.so no_warn try_first_pass %%% Which to my mind should allow only kerberos accounts to login. However, sshd happily passes authentication for local-only accounts as well! I do have UsePAM yes in /etc/ssh/sshd_config, although the text suggested this as the default. Not knowing much about pam, is this not the right thing to do? I have tried variations on this but it seems that it's not helping any... Adding a 'ccache' option to the auth line for pam_krb5 didn't help either. Is there an introductory document on PAM available online somewhere? Or better a working setup with pam_krb5 on FreeBSD 5.x/6.x? Thanks, --Stijn -- Nostalgia ain't what it used to be.