From owner-freebsd-questions@FreeBSD.ORG Sat May 24 21:38:03 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 72E7FDF7 for ; Sat, 24 May 2014 21:38:03 +0000 (UTC) Received: from ironforge.if.ufrj.br (ironforge.if.ufrj.br [146.164.36.15]) by mx1.freebsd.org (Postfix) with ESMTP id 22D0F2026 for ; Sat, 24 May 2014 21:38:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ironforge.if.ufrj.br (Postfix) with ESMTP id 29DC519DBA9 for ; Sat, 24 May 2014 18:29:19 -0300 (BRT) X-Virus-Scanned: by IF-UFRJ Mail System at ironforge.if.ufrj.br Received: from ironforge.if.ufrj.br ([127.0.0.1]) by localhost (ironforge.if.ufrj.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVws6aUi8hPi for ; Sat, 24 May 2014 18:29:14 -0300 (BRT) Received: from thunderbluff.if.ufrj.br (thunderbluff.if.ufrj.br [146.164.36.6]) by ironforge.if.ufrj.br (Postfix) with ESMTPS for ; Sat, 24 May 2014 18:29:14 -0300 (BRT) Received: from THUNDERBLUFF.if.ufrj.br (146.164.36.6) by thunderbluff.if.ufrj.br (146.164.36.6) with Microsoft SMTP Server (TLS) id 15.0.847.32; Sat, 24 May 2014 18:29:13 -0300 Received: from THUNDERBLUFF.if.ufrj.br ([fe80::75dc:6dea:a29b:8de7]) by thunderbluff.if.ufrj.br ([fe80::75dc:6dea:a29b:8de7%17]) with mapi id 15.00.0847.030; Sat, 24 May 2014 18:29:13 -0300 From: =?Windows-1252?Q?Vin=EDcius_Ferr=E3o?= To: "freebsd-questions@freebsd.org" Subject: PAM configuration to allow passwords from both Unix and Kerberos Thread-Topic: PAM configuration to allow passwords from both Unix and Kerberos Thread-Index: AQHPd5c0GAIZDCON5EuuvwxQaQeWrQ== Date: Sat, 24 May 2014 21:29:12 +0000 Message-ID: <76ABABB0-10FA-4870-B397-373CD14E0072@if.ufrj.br> Accept-Language: en-US, pt-BR Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [179.210.61.120] Content-Type: text/plain; charset="Windows-1252" Content-ID: <448C573B88BCE046B816731B207EE0BD@if.ufrj.br> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2014 21:38:03 -0000 Hello guys, I=92m trying to understand why this answer from 2011 on this li= st is a good way to solve the problem. It=92s strange to have two pam_unix.so lines in the same scope: 12.12.2011 20:35, Matt Mullins wrote: > On Mon, Dec 12, 2011 at 1:40 AM, Volodymyr Kostyrko= wrote: >> 10.12.2011 04:22, Matt Mullins wrote: >>> auth optional pam_deny.so >>> auth sufficient pam_unix.so no_warn try_first_pass >>> auth sufficient pam_krb5.so no_warn try_first_pass >> >> >> Why you just haven't changed the last line to `required`? > > I did try that, but I omitted it due to completely failing behavior. > pam_krb5.so returns failure during pam_setcred() if the user did not > log in with Kerberos credentials, whereas pam_unix.so succeeds as long > as the uid exists (I'm using nss_ldap for that part, so all the uids > do indeed exist). Thus, pam_unix.so will work with "required", but > pam_krb5.so won't. > >> Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment anythin= g >> related to kerberos? That's quite simple unlike managing `su`. > > That's pretty much what I did. I'm a little unhappy since pam_krb5.so > is before pam_unix.so in the list, so if the KDC goes down I have to > wait for a time-out to log in to my system... but that's always better > than letting anyone in :) So how about: auth sufficient pam_unix.so no_warn try_first_pass auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Thanks in advance,