PAM Krb5

Darren Tucker dtucker at zip.com.au
Wed Jun 2 00:17:36 UTC 2004


Anthony Ramm wrote:
> I have been trying to get the PAM Krb5 module to work  for the past few 
> days and was wondering if it would be possible for someone to point me 
> in the right direction regarding some problems I am having.  I'm using a 
> gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version 
> 2.1.0.  When I ssh into the box I can login, but whilst I get a TGT 
> allocated (I can see it being allocated on the KDC)

Assuming you're using OpenSSH:
http://bugzilla.mindrot.org/show_bug.cgi?id=688

Possible solutions:
* Compile sshd to use threads.  This is the best known solution right 
now, but opens a whole can of thread-safety worms.

* There's a patch attached to the bug that creates the credential cache 
before sshd's authentication "thread" (a process, actually) exits.

* Current development versions can also do Password authentication via 
PAM (via a "blind" conversation function) in addition to 
ChallengeResponse.  This happens in the immediate ancestor of the shell, 
so the info stashed by the module (presumably with pam_set_data()?) 
during authentication doesn't get lost.


 > Also, I'm asked for the password three times, where I
 > can enter nonsense, before it prompts me for root at host password.

This is described (briefly) in the sshd_config man page description of 
UsePAM and the comments in sshd_config.  Basically, if you want to 
authenticate via PAM, set "PasswordAuthentication no" in sshd_config

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.





More information about the Pam-list mailing list