From owner-freebsd-security Tue Jan 30 16:31:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5A8A637B6A1; Tue, 30 Jan 2001 16:30:59 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f0V0UvB29344; Tue, 30 Jan 2001 19:30:58 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 30 Jan 2001 19:30:57 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: green@FreeBSD.org Cc: security@FreeBSD.org Subject: PAM/SSH and KerberosIV? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I notice that as part of the PAM/OpenSSH support, the following lines were added to the pam.conf on -STABLE: # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so For most sets of entries, there's also a kerberos line (witness login): # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login auth sufficient pam_skey.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass login auth required pam_unix.so try_first_pass Which gets un-commented for Kerberos sites. Could you comment on whether or not a similar looking line is required for use with KerberosIV and OpenSSH? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message