Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 May 2001 18:21:04 -0500
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        Peter Losher <Peter.Losher@nominum.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: OpenSSH and Krb5, FreeBSD style...
Message-ID:  <20010523182104.C2431@shade.nectar.com>
In-Reply-To: <Pine.NEB.4.33.0105231513300.9543-100000@shell1.nominum.com>; from Peter.Losher@nominum.com on Wed, May 23, 2001 at 03:42:49PM -0700
References:  <20010523164412.A540@shade.nectar.com> <Pine.NEB.4.33.0105231513300.9543-100000@shell1.nominum.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, May 23, 2001 at 03:42:49PM -0700, Peter Losher wrote:
> > > Bad news, UW-IMAP suffers from the same linker problem <sigh>.  Also, SSHD
> > > refuses to take any Krb5 authentication, tkt or password.
> >
> > I'm confused -- above  you said that it `seems to  work fine' with the
> > v1 protocol.  Which SSHD are you talking about here?
> 
> That was the client on the box going out to other SSHD's (SSH Inc's SSH)
> on other servers; it worked fine.   However, if I tried ssh'ing into the
> box, it refuses to take either my Kerberos ticket or entered password
> (Krb5 passwd)

It is still not  clear to me what SSHD you are  talking about.  Let me
try another approach:  are both client and server  the FreeBSD OpenSSH
built  as  part of  a  world  with  MAKE_KERBEROS5=yes?  This  is  the
environment which I know works.

> This is what I have under sshd in /etc/pam.conf (should it be in another
> file?):

I use a /etc/pam.d/... layout.  Same difference.

> -=-
> sshd	auth    sufficient      pam_krb5.so try_first_pass
> sshd	auth    required        pam_unix.so
> sshd	account sufficient      pam_krb5.so try_first_pass
> sshd	account required        pam_unix.so
> sshd	session sufficient      pam_krb5.so try_first_pass
> sshd	session required        pam_unix.so
> sshd	session required	pam_permit.so
> -=-

Looks ok.

> And this is what I get after typing my Krb5 passwd:
> 
> -=-
> May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_open_session
> May 23 15:40:52 web1 sshd[319]: unable to resolve symbol: pam_sm_close_session
> May 23 15:41:19 web1 /kernel: pid 319 (sshd), uid 0: exited on signal 11
> -=-

The `unable  to resolve  symbol' messages  are harmless:  the pam_krb5
module doesn't do session management.

I'd need a backtrace to guess  what the segment violation is about.  I
just  double-checked  on a  fairly  fresh  4.3-RELEASE machine,  newly
installed Heimdal port + pam_krb5 port, and it works as expected.

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010523182104.C2431>