Date: Wed, 31 Aug 2005 15:18:56 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: questions@freebsd.org Subject: Re: heimdal kerberos & ssh Message-ID: <20050831131856.GC48436@pcwin002.win.tue.nl> In-Reply-To: <20050831112300.GA48436@pcwin002.win.tue.nl> References: <20050831112300.GA48436@pcwin002.win.tue.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
OK, I think I figured this out, at least partially: On Wed, Aug 31, 2005 at 01:23:00PM +0200, Stijn Hoop wrote: > So it seems that the authentication is working, however the TGT is not > being saved. It turns out that you really need to specify the 'ccache' parameter to pam_krb5 but in the correct format: auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u Furthermore, do not test logging in with a user that has both a local account and a kerberos principal -- it may confuse you :-/ For the record here is the /etc/pam.d/sshd that I think works: %%% # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u # account account required pam_krb5.so account required pam_login_access.so # session session required pam_permit.so # password password required pam_krb5.so no_warn try_first_pass %%% However: - I still don't get a valid cache file with a user that also has a local password (manually doing kinit works just fine). This is really strange.. - there's a strange 2-3 second delay when logging in, that I can't explain. It feels like some sort of timeout but I can't figure out what... Anyone recognize this? And again, if there's someone out there with a working setup, I'd love to see the config files. --Stijn -- This sentence contradicts itself -- no actually it doesn't. -- Hofstadter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050831131856.GC48436>