Hello,<br><br>Following your advice I have successfully setup integrated login for ssh.<br>I got both AFS token and Kerberos 5 ticket. <br><br>Following are the PAM files of sshd and system-auth:<br>I have a few questions regarding the setup of sshd PAM file that looks a little strange for me although it's working and satisfy my needs.<br>
<br><u>sshd</u><br><br>#%PAM-1.0<br>auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed<br><span style="background-color: rgb(255, 255, 0);"># Without the following line it's not working properly ( I wonder why, it has the same line in system-auth file )</span><br>
auth required pam_afs.so try_first_pass ignore_root set_token<br><span style="background-color: rgb(255, 255, 0);"># Note that the following line is marked as optional, any change will harm the login process - I think it should be required</span><br>
auth optional pam_stack.so service=system-auth<br>auth required pam_nologin.so<br><br>account required pam_stack.so service=system-auth<br><br>password required pam_stack.so service=system-auth<br>
<br>session required pam_stack.so service=system-auth<br>session required pam_limits.so<br><br><u>system-auth</u><br><br>#%PAM-1.0<br>auth required pam_env.so<br>auth optional pam_krb5.so use_first_pass<br>
auth required pam_afs.so try_first_pass ignore_root set_token<br>auth required pam_deny.so<br><br>account sufficient pam_unix.so<br>account sufficient pam_krb5.so<br>account sufficient pam_ldap.so<br>
<br>password requisite pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users<br>password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok<br>password sufficient pam_krb5.so use_authtok<br>
password required pam_deny.so<br><br>session required pam_limits.so<br>session optional pam_krb5.so<br>session optional pam_ldap.so<br>session required pam_unix.so<br><br><br><div class="gmail_quote">
On Tue, Mar 25, 2008 at 11:28 AM, Ido Levy <<a href="mailto:idol.levy@gmail.com">idol.levy@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Tomas,<br><br>Thanks for the advice !!<br>I will check it out and will update the list for my results.<br><font color="#888888"><br>Ido</font><div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <<a href="mailto:tmraz@redhat.com" target="_blank">tmraz@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:<br>
> Hello,<br>
><br>
> I am trying to configure PAM to provide both AFS token and Kerberos 5<br>
> ticket in the login process but unfortunately with no luck.<br>
> I am able to get AFS token or Kerberos 5 ticket but not both of them.<br>
><br>
> Following is the system-auth file.<br>
><br>
> #%PAM-1.0<br>
> auth required pam_env.so<br>
> auth sufficient /lib64/security/pam_krb5.so use_first_pass<br>
This module must be "required" and not "sufficient".<br>
> auth sufficient /lib64/security/pam_afs.so try_first_pass<br>
> ignore_root set_token<br>
Also you shouldn't use full paths to the modules, the pam library will<br>
search /lib(64)/security automatically.<br>
<br>
--<br>
Tomas Mraz<br>
No matter how far down the wrong road you've gone, turn back.<br>
Turkish proverb<br>
<br>
_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</blockquote></div><br>
</div></div></blockquote></div><br>