The most optimized configuration I have reached is as follows.<br>Thank you for the help !!<br><br><u>sshd</u><br><br>auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed<br>
auth       required     pam_stack.so service=system-auth<br>auth       required     pam_nologin.so<br><br>account    required     pam_stack.so service=system-auth<br><br>password   required     pam_stack.so service=system-auth<br>
<br>session    required     pam_stack.so service=system-auth<br>session    required     pam_limits.so<br><br><u>system-auth<br><br></u>auth        required      pam_env.so<br>auth        optional      pam_krb5.so try_first_pass<br>
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token<br>auth        required      pam_deny.so<br><br>account     sufficient    pam_unix.so<br>account     sufficient    pam_krb5.so<br>account     sufficient    pam_ldap.so<br>
<br>password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users<br>password    sufficient    pam_krb5.so use_authtok<u><br></u>password    required      pam_deny.so<br><br>session     required      pam_limits.so<br>
session     optional      pam_krb5.so<br>session     optional      pam_ldap.so<br>session     required      pam_unix.so<u><br><br></u><br>Ido Levy<br><br><div class="gmail_quote">On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <<a href="mailto:tmraz@redhat.com">tmraz@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:<br>
> Hello,<br>
><br>
</div><div class="Ih2E3d">> Following your advice I have successfully setup integrated login for<br>
> ssh.<br>
> I got both AFS token and Kerberos 5 ticket.<br>
><br>
> Following are the PAM files of sshd and system-auth:<br>
> I have a few questions regarding the setup of sshd PAM file that looks<br>
> a little strange for me although it's working and satisfy my needs.<br>
><br>
> sshd<br>
<br>
</div>Here is my recommendation - try if that works:<br>
<div class="Ih2E3d"><br>
#%PAM-1.0<br>
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed<br>
</div>auth       required     pam_stack.so service=system-auth<br>
<div class="Ih2E3d">auth       required     pam_nologin.so<br>
<br>
account    required     pam_stack.so service=system-auth<br>
<br>
password   required     pam_stack.so service=system-auth<br>
<br>
session    required     pam_stack.so service=system-auth<br>
session    required     pam_limits.so<br>
<br>
system-auth<br>
<br>
#%PAM-1.0<br>
auth        required      pam_env.so<br>
</div>auth        required      pam_krb5.so<br>
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token<br>
<div class="Ih2E3d">auth        required      pam_deny.so<br>
<br>
account     sufficient    pam_unix.so<br>
account     sufficient    pam_krb5.so<br>
account     sufficient    pam_ldap.so<br>
<br>
password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users<br>
</div>password    sufficient    pam_krb5.so use_authtok<br>
<div class="Ih2E3d">password    required      pam_deny.so<br>
<br>
session     required      pam_limits.so<br>
session     optional      pam_krb5.so<br>
session     optional      pam_ldap.so<br>
session     required      pam_unix.so<br>
<br>
</div>--<br>
<div><div></div><div class="Wj3C7c">Tomas Mraz<br>
No matter how far down the wrong road you've gone, turn back.<br>
                                              Turkish proverb<br>
<br>
_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</div></div></blockquote></div><br>