From owner-freebsd-stable Wed May 23 15:43:48 2001 Delivered-To: freebsd-stable@freebsd.org Received: from shell1.nominum.com (shell1.nominum.com [204.152.187.163]) by hub.freebsd.org (Postfix) with ESMTP id 5DFF937B422 for ; Wed, 23 May 2001 15:43:41 -0700 (PDT) (envelope-from Peter.Losher@nominum.com) Received: by shell1.nominum.com (Postfix, from userid 10188) id E621622641; Wed, 23 May 2001 15:42:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by shell1.nominum.com (Postfix) with ESMTP id D94C920F01; Wed, 23 May 2001 15:42:49 -0700 (PDT) Date: Wed, 23 May 2001 15:42:49 -0700 (PDT) From: Peter Losher To: "Jacques A. Vidrine" Cc: Peter Losher , Subject: Re: OpenSSH and Krb5, FreeBSD style... In-Reply-To: <20010523164412.A540@shade.nectar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 23 May 2001, Jacques A. Vidrine wrote: > The OpenSSH v2 stuff doesn't do Kerberos (IV nor 5). Ahh... > > Bad news, UW-IMAP suffers from the same linker problem . Also, SSHD > > refuses to take any Krb5 authentication, tkt or password. > > I'm confused -- above you said that it `seems to work fine' with the > v1 protocol. Which SSHD are you talking about here? That was the client on the box going out to other SSHD's (SSH Inc's SSH) on other servers; it worked fine. However, if I tried ssh'ing into the box, it refuses to take either my Kerberos ticket or entered password (Krb5 passwd) > > I installed pam_krb5 from ports, replaced the commented out Krb4 > > line under sshd with one for pam_krb5.so, and now sshd segfaults > > whenever you type in a Kerberos password. > > Obviously that shouldn't happen, but the module is young and finicky. > Use the following for sshd/pam_krb5: > > auth sufficient pam_krb5.so try_first_pass > auth required pam_unix.so > account sufficient pam_krb5.so try_first_pass > account required pam_unix.so > session sufficient pam_krb5.so try_first_pass > session required pam_unix.so This is what I have under sshd in /etc/pam.conf (should it be in another file?): -=- sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so sshd account sufficient pam_krb5.so try_first_pass sshd account required pam_unix.so sshd session sufficient pam_krb5.so try_first_pass sshd session required pam_unix.so sshd session required pam_permit.so -=- And this is what I get after typing my Krb5 passwd: -=- May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_open_session May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_close_session May 23 15:41:19 web1 /kernel: pid 319 (sshd), uid 0: exited on signal 11 -=- Thanks - Peter -- Peter.Losher@nominum.com - [ Systems Admin. | Nominum, Inc. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message