Date: Thu, 27 Aug 2015 15:08:18 -0700 From: Eric Shell <eshell@soe.ucsc.edu> To: freebsd-questions@freebsd.org Subject: Re: Obtain Kerberos ticket automatically upon SSH login with PAM Message-ID: <CAG0%2B=VJDWOqZcQZDYWTNm8odcFnLuRP1t1i-p_hr8=Ata5JLMg@mail.gmail.com> In-Reply-To: <CAG0%2B=VJq2dQfPJ1ZgVzryZt-9_Hs%2BYkzGGhdXn8%2BjF6nWUs3CQ@mail.gmail.com> References: <CAG0%2B=VJq2dQfPJ1ZgVzryZt-9_Hs%2BYkzGGhdXn8%2BjF6nWUs3CQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
To answer my own question, it turns out that the pam_krb5 module included with FreeBSD simply cannot do it. The security/pam_krb5 port works perfectly, however. On Thu, Aug 27, 2015 at 10:20 AM, Eric Shell <eshell@soe.ucsc.edu> wrote: > Hi folks, > > I'm trying to get a nice and tidy login process that authenticates users > via LDAP and also automatically grabs a kerberos ticket so they can > immediately mount Kerberized NFSv4 exports without bothering to kinit. My > /etc/pam.d/system configuration is working for console logins, but I can't > get it working for SSH logins even when using basically the same chain. > > With the debug argument to my pam_krb5.so line, I am getting this error in > /var/log/debug.log for SSH logins: > > sshd[7457]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5: > pam_sm_setcred(): failed to retrieve user credentials > > Searching for that error on Google turns up a thread from 2013 that seems > to indicate that the problem lies with OpenSSH. Is that true? If so, is > there any way to make this work? > > > > /etc/pam.d/system: > > # auth > auth sufficient pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > auth optional pam_krb5.so debug try_first_pass > auth sufficient pam_ldap.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth required pam_unix.so no_warn try_first_pass nullok > > # account > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so want_agent > session required pam_lastlog.so no_fail > > # password > #password sufficient pam_krb5.so no_warn try_first_pass > password required pam_unix.so no_warn try_first_pass > > > > /etc/pam.d/sshd: > > # auth > auth sufficient pam_opie.so no_warn no_fake_prompts > #auth requisite pam_opieaccess.so no_warn allow_local > auth optional pam_krb5.so debug try_first_pass > auth sufficient pam_ldap.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth required pam_unix.so no_warn try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so want_agent > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn try_first_pass > password required pam_unix.so no_warn try_first_pass > -- Eric Shell Apple & Google Apps Administrator Baskin School of Engineering UC Santa Cruz 831 459 4919
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG0%2B=VJDWOqZcQZDYWTNm8odcFnLuRP1t1i-p_hr8=Ata5JLMg>