From owner-freebsd-questions Fri Feb 14 8:50:27 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24DEC37B401 for ; Fri, 14 Feb 2003 08:50:26 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02A8143F85 for ; Fri, 14 Feb 2003 08:50:23 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id A79F21CF; Fri, 14 Feb 2003 10:50:21 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h1EGr3w31601; Fri, 14 Feb 2003 10:53:03 -0600 Date: Fri, 14 Feb 2003 10:53:03 -0600 From: Tillman To: La Temperanza Cc: questions@FreeBSD.ORG Subject: Re: Help with Kerberos 5 setup Message-ID: <20030214105303.A31351@seekingfire.com> References: <20030213112254.6c59e001.temperanza@softhome.net> <20030213135515.S22957@seekingfire.com> <20030213215433.0900524f.temperanza@softhome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030213215433.0900524f.temperanza@softhome.net>; from temperanza@softhome.net on Thu, Feb 13, 2003 at 09:54:33PM -0800 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 13, 2003 at 09:54:33PM -0800, La Temperanza wrote: > Thanks, your PDF helped me get k5su up and running. Now can you help me switch > my console login service to Kerberos? :) I don't quite get the man pages for PAM > and am worried about locking myself out of my system if I do something wrong. Step number 1: log in a different virtual console and leave it logged in. This console is known as "insurance" ;-) It's really not that hard with a fairly recent FreeBSD ... there should be a pam_krb5 already in there (but commented out). pam.conf is broken into sections, corresponding to the different services that might require authentication. The first "block" in the pam.conf is for the console login service. Try uncommenting the pam_krb5 line and logging in on a third virtual service. I'm not actually using pam for services other than console login - while pam is great for centralizing authentication, it doesn't magically add encryption of the data stream to the various service daemons (the MIT kerberoos -x switch for most app's). You'll needs service daemons that specifically support that. Hmmm. Now that I think about it, with Heimdal in the base install, the normal daemons /might/ actually do that. It doesn't apply to me as I'm use MIT krb5, but it'd be worth investigating if you're using the heimdal in the base install. - Tillman -- Simplicity is the most difficult thing to secure in this world; it is the last limit of experience and the last effort of genius. George Sand To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message