From owner-freebsd-security  Tue Jan 30 16:50:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from green.dyndns.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3E5BC37B6A6; Tue, 30 Jan 2001 16:50:09 -0800 (PST)
Received: from localhost (3839c5@localhost [127.0.0.1])
	by green.dyndns.org (8.11.1/8.11.1) with ESMTP id f0V0n1f15852;
	Tue, 30 Jan 2001 19:49:02 -0500 (EST)
	(envelope-from green@FreeBSD.org)
Message-Id: <200101310049.f0V0n1f15852@green.dyndns.org>
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
To: Robert Watson <rwatson@FreeBSD.org>
Cc: green@FreeBSD.org, security@FreeBSD.org
Subject: Re: PAM/SSH and KerberosIV? 
In-Reply-To: Message from Robert Watson <rwatson@FreeBSD.org> 
   of "Tue, 30 Jan 2001 19:30:57 EST." <Pine.NEB.3.96L.1010130192901.29561F-100000@fledge.watson.org> 
From: "Brian F. Feldman" <green@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 30 Jan 2001 19:49:01 -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson <rwatson@FreeBSD.org> wrote:
> 
> I notice that as part of the PAM/OpenSSH support, the following lines were
> added to the pam.conf on -STABLE:
> 
>   # OpenSSH with PAM support requires similar modules.  The session one is
>   # a bit strange, though...
>   sshd    auth    sufficient      pam_skey.so
>   sshd    auth    required        pam_unix.so try_first_pass
>   sshd    session required        pam_permit.so
> 
> For most sets of entries, there's also a kerberos line (witness login):
> 
>   # If the user can authenticate with S/Key, that's sufficient; allow  clear
>   # password. Try kerberos, then try plain unix password.
>   login   auth    sufficient      pam_skey.so
>   login   auth    requisite       pam_cleartext_pass_ok.so
>   #login  auth    sufficient      pam_kerberosIV.so try_first_pass
>   login   auth    required        pam_unix.so try_first_pass
> 
> Which gets un-commented for Kerberos sites.  Could you comment on whether
> or not a similar looking line is required for use with KerberosIV and
> OpenSSH?

I don't know.  I do not have the capacity to test Kerberos without going 
through the trouble of setting it up for only myself only on my own 
computer, which would be an exercise in utterly profound useless effort.  
So, anyone who does it, let me know if it works for you and how.

BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch?

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message