Using pam_krb5 multiple times

Matt Clausen mclausen at csit.fsu.edu
Wed Jun 30 04:37:23 UTC 2004


I have a rather unique need in which I need a machine to check multiple 
realms for a principal that's logging in. I've downloaded the latest (I 
think... pam_krb5 doesnt seem to be maintained anymore) version and 
installed it but what happens is that the first realm can authenticate 
fine, but not the second realm.

Here's an exerpt from the pam.d/system-auth file:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5.so forwardable 
use_first_pass realm=<realm1>
auth        sufficient    /lib/security/pam_krb5.so forwardable 
use_first_pass realm=<realm2>
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_access.so
account     sufficient    /lib/security/pam_krb5.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
shadow
password    sufficient    /lib/security/pam_krb5.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5.so

This will work for the first realm only, but someone trying to log in 
from the second realm will not succeed... however if I flip the 
placement, the user from the 2nd realm can log in but not the first.

I found a thread on this very issue on the web, but unfortunately there 
was/is nothing being done with this. Anyone have any tips on how I can 
go about doing this?





More information about the Pam-list mailing list