Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Dec 2011 10:58:27 +0200
From:      Volodymyr Kostyrko <c.kworr@gmail.com>
To:        Matt Mullins <mokomull@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: PAM configuration to allow passwords from both Unix and Kerberos
Message-ID:  <4EE713B3.7000401@gmail.com>
In-Reply-To: <CAPyT1SEeTvLejgy2jPwP9UyuOQ2s9B%2Bhnm%2BGrOqvNfnQ_bXEfA@mail.gmail.com>
References:  <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com> <4EE5CBFE.9050908@gmail.com> <CAPyT1SEeTvLejgy2jPwP9UyuOQ2s9B%2Bhnm%2BGrOqvNfnQ_bXEfA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
12.12.2011 20:35, Matt Mullins wrote:
> On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko<c.kworr@gmail.com>  wrote:
>> 10.12.2011 04:22, Matt Mullins wrote:
>>> auth optional   pam_deny.so
>>> auth sufficient pam_unix.so no_warn try_first_pass
>>> auth sufficient pam_krb5.so no_warn try_first_pass
>>
>>
>> Why you just haven't changed the last line to `required`?
>
> I did try that, but I omitted it due to completely failing behavior.
> pam_krb5.so returns failure during pam_setcred() if the user did not
> log in with Kerberos credentials, whereas pam_unix.so succeeds as long
> as the uid exists (I'm using nss_ldap for that part, so all the uids
> do indeed exist).  Thus, pam_unix.so will work with "required", but
> pam_krb5.so won't.
>
>> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anything
>> related to kerberos? That's quite simple unlike managing `su`.
>
> That's pretty much what I did.  I'm a little unhappy since pam_krb5.so
> is before pam_unix.so in the list, so if the KDC goes down I have to
> wait for a time-out to log in to my system... but that's always better
> than letting anyone in :)

So how about:
auth sufficient pam_unix.so no_warn try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

-- 
Sphinx of black quartz judge my vow.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EE713B3.7000401>