From owner-freebsd-questions@FreeBSD.ORG Mon Feb 23 19:29:31 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DB51106566C for ; Mon, 23 Feb 2009 19:29:31 +0000 (UTC) (envelope-from kak.bo.che@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 2F3E98FC14 for ; Mon, 23 Feb 2009 19:29:30 +0000 (UTC) (envelope-from kak.bo.che@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so767523ywt.13 for ; Mon, 23 Feb 2009 11:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:date:message-id :subject:from:to:content-type; bh=XIcsu42ydL8Pgq2lvurKOYxpkenMkD3yWDboJPSTkcI=; b=MrOR7ms7JeKRDlE07NUXpb+a2Mf4WIMv9gVb1YDamcv+xrSEUHp/buZKgeI8zBFpk7 V2hN3S2HUSETmzACOhT1BWxwcaMeNq5PkPuLrkIbviXhVvRvezjCLcN1V+B21PgInh9/ f1kf39XNUsLPU8eCAXRpnBkMADiynPlplMkHQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=gUstvBVvoxjyxQTcFrqY64F6WeMPiL/TVtw/vTnuiRfluIwKeTepYtGTsVJmPL3zTC 3mkUpuWHoYasZhypd7gHpKDddKGsE6WayLueIdW6St6vDvyUfB1AYWSRHNSmFAExZl9j BgCggL4WF4lSqx2M4z01s13aQfbSW0l+q3804= MIME-Version: 1.0 Received: by 10.231.20.3 with SMTP id d3mr413885ibb.18.1235415592644; Mon, 23 Feb 2009 10:59:52 -0800 (PST) Date: Mon, 23 Feb 2009 11:59:52 -0700 Message-ID: <1fcf2da90902231059n24d21aa5h861767b099979886@mail.gmail.com> From: KAK BO CHE To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: difficulty using SSH Kerberos PAM Authentication with 7.1 Release X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KAK.BO.CHE@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 19:29:31 -0000 I recently did a freebsd-update to a machine running 6.3 to 7.1. I am now having difficulty getting pam_krb5 to work as it used to for sshd authentication. After upgrading to 7.1 I noticed the openpam_dispatch() and pam_sm_authenticate() errors on my console when trying to login via ssh. I fixed these by removing the pam_nologin module from the auth list in my sshd pam config file. My current pam sshd configuation file is as follows: # auth auth required pam_krb5.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass If I attempt to login with the correct kerberos credentials I get the following error: pam_setcred() failed to retreive user credentials If I reenable the "auth required pam_unix.so" line and change the line before it to "auth sufficient pam_krb5.so" I can logon with either my kerberos or the local system password, but no other password as expected. Unfortunately, I cannot allow local user passwords to logon to the system. What am I doing wrong a similar setup worked with FreeBSD 6.3, but the last authenticaion module was pam_nologin. Thanks, --Troy