Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Jan 2001 19:49:01 -0500
From:      "Brian F. Feldman" <green@FreeBSD.org>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        green@FreeBSD.org, security@FreeBSD.org
Subject:   Re: PAM/SSH and KerberosIV? 
Message-ID:  <200101310049.f0V0n1f15852@green.dyndns.org>
In-Reply-To: Message from Robert Watson <rwatson@FreeBSD.org>  of "Tue, 30 Jan 2001 19:30:57 EST." <Pine.NEB.3.96L.1010130192901.29561F-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Robert Watson <rwatson@FreeBSD.org> wrote:
> 
> I notice that as part of the PAM/OpenSSH support, the following lines were
> added to the pam.conf on -STABLE:
> 
>   # OpenSSH with PAM support requires similar modules.  The session one is
>   # a bit strange, though...
>   sshd    auth    sufficient      pam_skey.so
>   sshd    auth    required        pam_unix.so try_first_pass
>   sshd    session required        pam_permit.so
> 
> For most sets of entries, there's also a kerberos line (witness login):
> 
>   # If the user can authenticate with S/Key, that's sufficient; allow  clear
>   # password. Try kerberos, then try plain unix password.
>   login   auth    sufficient      pam_skey.so
>   login   auth    requisite       pam_cleartext_pass_ok.so
>   #login  auth    sufficient      pam_kerberosIV.so try_first_pass
>   login   auth    required        pam_unix.so try_first_pass
> 
> Which gets un-commented for Kerberos sites.  Could you comment on whether
> or not a similar looking line is required for use with KerberosIV and
> OpenSSH?

I don't know.  I do not have the capacity to test Kerberos without going 
through the trouble of setting it up for only myself only on my own 
computer, which would be an exercise in utterly profound useless effort.  
So, anyone who does it, let me know if it works for you and how.

BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch?

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101310049.f0V0n1f15852>