Date: Fri, 9 Dec 2011 18:22:41 -0800 From: Matt Mullins <mokomull@gmail.com> To: freebsd-questions@freebsd.org Subject: PAM configuration to allow passwords from both Unix and Kerberos Message-ID: <CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
For my systems, the canonical source of authentication information is a Kerberos server, but I also want to support old-fashioned Unix passwords for a handful of users (including myself) just in case the Kerberos system is unreachable.=A0 I'm having a bit of trouble adjusting to the semantics of FreeBSD's PAM configuration, it seems.=A0 The following is what I have tried in /etc/pam.d/sshd: auth optional=A0=A0 pam_deny.so auth sufficient pam_unix.so no_warn try_first_pass auth sufficient pam_krb5.so no_warn try_first_pass This does what I want: tries Unix authentication, and for most users, then goes and tries Kerberos authentication.=A0 However, it also seems to allow access if the module does something other than success or failure: I hit ^D at the SSH password prompt and it grants me access! Adding "debug" to these lines doesn't seem to get anything additional logged, so I'm actually not sure why PAM ends up with a success code somewhere. I flipped this logic around and did: auth sufficient pam_unix.so no_warn auth sufficient pam_krb5.so no_warn try_first_pass auth required=A0=A0 pam_deny.so This does exactly what I want for services like sudo, that just use pam_authenticate(), but since "sufficient" is equivalent to "optional" in pam_setcred(), sshd fails all authentications with: Dec=A0 9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred(): failed to retrieve user credentials I am completely stumped how to get this behavior working for both pam_authenticate and pam_setcred calls.=A0 Can someone enlighten me what a more normal way to do this would be? -- Matt Mullins
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyT1SEZan8OZ1=r7bd4oyxuy=FAD9DFo=Wu27tRPzCQ%2BffRSQ>