Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Dec 2011 11:40:14 +0200
From:      Volodymyr Kostyrko <c.kworr@gmail.com>
To:        Matt Mullins <mokomull@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: PAM configuration to allow passwords from both Unix and Kerberos
Message-ID:  <4EE5CBFE.9050908@gmail.com>
In-Reply-To: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com>
References:  <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
10.12.2011 04:22, Matt Mullins wrote:
> For my systems, the canonical source of authentication information is
> a Kerberos server, but I also want to support old-fashioned Unix
> passwords for a handful of users (including myself) just in case the
> Kerberos system is unreachable.  I'm having a bit of trouble adjusting
> to the semantics of FreeBSD's PAM configuration, it seems.  The
> following is what I have tried in /etc/pam.d/sshd:
>
> auth optional   pam_deny.so
> auth sufficient pam_unix.so no_warn try_first_pass
> auth sufficient pam_krb5.so no_warn try_first_pass

Why you just haven't changed the last line to `required`?

> This does what I want: tries Unix authentication, and for most users,
> then goes and tries Kerberos authentication.  However, it also seems
> to allow access if the module does something other than success or
> failure: I hit ^D at the SSH password prompt and it grants me access!
> Adding "debug" to these lines doesn't seem to get anything additional
> logged, so I'm actually not sure why PAM ends up with a success code
> somewhere.
>
> I flipped this logic around and did:
>
> auth sufficient pam_unix.so no_warn
> auth sufficient pam_krb5.so no_warn try_first_pass
> auth required   pam_deny.so

That's not what you want. Read pam_deny(8). It has no use for real world 
scenarios except when something goes weird.

> This does exactly what I want for services like sudo, that just use
> pam_authenticate(), but since "sufficient" is equivalent to "optional"
> in pam_setcred(), sshd fails all authentications with:
> Dec  9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred():
> failed to retrieve user credentials
>
> I am completely stumped how to get this behavior working for both
> pam_authenticate and pam_setcred calls.  Can someone enlighten me what
> a more normal way to do this would be?

Why just don't get stock `/usr/src/etc/pam.d/sshd` and uncomment 
anything related to kerberos? That's quite simple unlike managing `su`.

-- 
Sphinx of black quartz judge my vow.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EE5CBFE.9050908>