The most optimized configuration I have reached is as follows.<br>Thank you for the help !!<br><br><u>sshd</u><br><br>auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed<br>
auth required pam_stack.so service=system-auth<br>auth required pam_nologin.so<br><br>account required pam_stack.so service=system-auth<br><br>password required pam_stack.so service=system-auth<br>
<br>session required pam_stack.so service=system-auth<br>session required pam_limits.so<br><br><u>system-auth<br><br></u>auth required pam_env.so<br>auth optional pam_krb5.so try_first_pass<br>
auth sufficient pam_afs.so try_first_pass ignore_root set_token<br>auth required pam_deny.so<br><br>account sufficient pam_unix.so<br>account sufficient pam_krb5.so<br>account sufficient pam_ldap.so<br>
<br>password requisite pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users<br>password sufficient pam_krb5.so use_authtok<u><br></u>password required pam_deny.so<br><br>session required pam_limits.so<br>
session optional pam_krb5.so<br>session optional pam_ldap.so<br>session required pam_unix.so<u><br><br></u><br>Ido Levy<br><br><div class="gmail_quote">On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <<a href="mailto:tmraz@redhat.com">tmraz@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:<br>
> Hello,<br>
><br>
</div><div class="Ih2E3d">> Following your advice I have successfully setup integrated login for<br>
> ssh.<br>
> I got both AFS token and Kerberos 5 ticket.<br>
><br>
> Following are the PAM files of sshd and system-auth:<br>
> I have a few questions regarding the setup of sshd PAM file that looks<br>
> a little strange for me although it's working and satisfy my needs.<br>
><br>
> sshd<br>
<br>
</div>Here is my recommendation - try if that works:<br>
<div class="Ih2E3d"><br>
#%PAM-1.0<br>
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed<br>
</div>auth required pam_stack.so service=system-auth<br>
<div class="Ih2E3d">auth required pam_nologin.so<br>
<br>
account required pam_stack.so service=system-auth<br>
<br>
password required pam_stack.so service=system-auth<br>
<br>
session required pam_stack.so service=system-auth<br>
session required pam_limits.so<br>
<br>
system-auth<br>
<br>
#%PAM-1.0<br>
auth required pam_env.so<br>
</div>auth required pam_krb5.so<br>
auth sufficient pam_afs.so try_first_pass ignore_root set_token<br>
<div class="Ih2E3d">auth required pam_deny.so<br>
<br>
account sufficient pam_unix.so<br>
account sufficient pam_krb5.so<br>
account sufficient pam_ldap.so<br>
<br>
password requisite pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users<br>
</div>password sufficient pam_krb5.so use_authtok<br>
<div class="Ih2E3d">password required pam_deny.so<br>
<br>
session required pam_limits.so<br>
session optional pam_krb5.so<br>
session optional pam_ldap.so<br>
session required pam_unix.so<br>
<br>
</div>--<br>
<div><div></div><div class="Wj3C7c">Tomas Mraz<br>
No matter how far down the wrong road you've gone, turn back.<br>
Turkish proverb<br>
<br>
_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</div></div></blockquote></div><br>