From nobody Sat Feb 17 21:02:28 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tch8733wwz59fnb for ; Sat, 17 Feb 2024 21:02:31 +0000 (UTC) (envelope-from mvoorhis@gmail.com) Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tch865hMfz4X2c for ; Sat, 17 Feb 2024 21:02:30 +0000 (UTC) (envelope-from mvoorhis@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=Rz3DtVqf; spf=pass (mx1.freebsd.org: domain of mvoorhis@gmail.com designates 2607:f8b0:4864:20::f36 as permitted sender) smtp.mailfrom=mvoorhis@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-6818a9fe3d4so19152066d6.0 for ; Sat, 17 Feb 2024 13:02:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708203749; x=1708808549; darn=freebsd.org; h=content-transfer-encoding:subject:from:content-language:cc:to :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=bd51EdpVzR//gzmMRIa4WeMfInvA8DD5JIAaJros+BY=; b=Rz3DtVqfZOHwXf4ZgilFFxeQJ5/D3YwgtsCBIIICwR7u98LMiBTSmVT6XqoBtOhnEf lxcTxh4XLRjsQSKfSymPSnKHIQPzuMV/+waVVszzUmvCCWOM0fht81nxGX2mSwNNT89n JyGOV+8+gM0LzgJTk2TpTEMJm9SldfC6y+qCQTCOVTHt8lqKgRB6sUg6ENk8NjbaW9oB Cbps4Rdq0I6LYNdgASu7nOpcmlFfBHYhIrlVqdPwkcSeihhEpCDrsptD54TXUpYuIuSn xYMqAVPK4Hi/bw1zdkY7wzDhS3jAQLWY3xRnptnm71HGicLe8SNT1hQdqzq/GFzb9cOT FitQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708203749; x=1708808549; h=content-transfer-encoding:subject:from:content-language:cc:to :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bd51EdpVzR//gzmMRIa4WeMfInvA8DD5JIAaJros+BY=; b=BXmLeY4JIWeERu8PNUyOlUbCLeM6EXPf2aBfi3kKMBLsLnzIlouyNgCiST2wKaafnN oVxBIp7BV7Fpl9ebrvsJWU8Tb5XFNb+CGlkOj6DHrkiAZAbXu7YkC31tB2YCe8zn9bgH 6ZTxQamfuw+Cqf5Pcoa4WUigDRBhLdRvKQiaKc14PMOxA/onTwDcFCJ666gaNqQ6GLwG uBVcSFrEHN1Fqvo450QCBcWU1+PTM4+9/gnim9cWZiYyzUNiorKn/X5ZEhLVlm1ev/VN dQNAwlkhluMZ4Yo6X0wXMpUdbh5NvpmHF63muED64EMtj2/31Yg2gMNGvixeCCny/BTM KeQQ== X-Gm-Message-State: AOJu0YweU/A//a6R7BY8hNm9Nvox+UkG6HAUDbH2MkLwpT6Xp5KEJyv8 g7hyuPsyVb3RE8K7WST7eP8jpxtvzoVrn2djgz55MgdOVozWqF2M1dhqkJDe X-Google-Smtp-Source: AGHT+IHdYeg64HkNSY34SIsvL+nf+7VdtutHYfHrtFPnGlD6345X1Q8xPrEHuoFVoeXpb0j4LagnhQ== X-Received: by 2002:a0c:e0cd:0:b0:68f:2f04:9ce2 with SMTP id x13-20020a0ce0cd000000b0068f2f049ce2mr741761qvk.8.1708203749313; Sat, 17 Feb 2024 13:02:29 -0800 (PST) Received: from ?IPV6:2600:6c64:627f:8dcf:501d:cd30:e3a1:2248? (2600-6c64-627f-8dcf-501d-cd30-e3a1-2248.inf6.spectrum.com. [2600:6c64:627f:8dcf:501d:cd30:e3a1:2248]) by smtp.gmail.com with ESMTPSA id pc8-20020a056214488800b0068f2ea5c678sm1391401qvb.118.2024.02.17.13.02.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 17 Feb 2024 13:02:29 -0800 (PST) Message-ID: Date: Sat, 17 Feb 2024 16:02:28 -0500 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: freebsd-questions@FreeBSD.org Cc: mvoorhis@gmail.com Content-Language: en-US From: Michael Voorhis Subject: openPAM and Kerberos in FreeBSD13 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Tch865hMfz4X2c X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.85 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; NEURAL_SPAM_SHORT(0.14)[0.142]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f36:from] Hi all, I'm trying to get SSH and Kerberos working on my FreeBSD13 machine. I can authenticate to the KDC using kinit, no problem, but no amount of playing will allow me to login to a machine using SSHD and PAM. Have played with /etc/pam.d/system and /etc/pam.d/sshd endlessly. The KDC/KADMIN server is another FreeBSD13 machine, and seems to function correctly as it is being used actively. The PAM-failing client machine has a keytab file with a dedicated host-key so the KDC knows about it. PAM provides no useful errors of any kind. Use of kinit on my PAM-failing test machine causes log entries to appear on the KDC's /var/heimdal/kdc.log, but PAM activity doesn't appear in logs at all, as if it's not even trying to connect. There's some disconnect that I don't understand. Thanks for any URLs, leading-questions, or other pointers. I strongly suspect there's Some Simple Thing I haven't done correctly. Thanks for reading, --MCV.