[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM Krb5



Thanks for the advice, I think I've got it all working now. What I'm ultimately trying to do is set up a single sign on situation where all passwords etc. are stored with Kerberos and permissions etc are stored in an OpenLDAP database. I've nearly done this using pam_krb5 for authentication and I'm going to use pam_ldap for account information. Is it possible that if a user already has a kerberos ticket and has permission on the destination host that they can be logged on automatically without having to enter a password? It seems as though it should, but I can't quite figure out how.

Thanks in advance,

Anthony,

On 2 Jun 2004, at 01:17, Darren Tucker wrote:

Anthony Ramm wrote:
I have been trying to get the PAM Krb5 module to work for the past few days and was wondering if it would be possible for someone to point me in the right direction regarding some problems I am having. I'm using a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version 2.1.0. When I ssh into the box I can login, but whilst I get a TGT allocated (I can see it being allocated on the KDC)

Assuming you're using OpenSSH: http://bugzilla.mindrot.org/show_bug.cgi?id=688

Possible solutions:
* Compile sshd to use threads. This is the best known solution right now, but opens a whole can of thread-safety worms.


* There's a patch attached to the bug that creates the credential cache before sshd's authentication "thread" (a process, actually) exits.

* Current development versions can also do Password authentication via PAM (via a "blind" conversation function) in addition to ChallengeResponse. This happens in the immediate ancestor of the shell, so the info stashed by the module (presumably with pam_set_data()?) during authentication doesn't get lost.

> Also, I'm asked for the password three times, where I
> can enter nonsense, before it prompts me for root host password.

This is described (briefly) in the sshd_config man page description of UsePAM and the comments in sshd_config. Basically, if you want to authenticate via PAM, set "PasswordAuthentication no" in sshd_config



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]