[Freeipa-users] kerberized vsftpd login problem
Dmitri Pal
dpal at redhat.com
Fri Mar 28 02:11:48 UTC 2014
On 03/27/2014 04:47 PM, John Obaterspok wrote:
> 2014-03-23 19:45 GMT-04:00 Dmitri Pal<dpal at redhat.com>
>> 2014-03-23 9:01 GMT+01:00 John Obaterspok<john.obaterspok at gmail.com>:
>>> Hello,
>>>
>>> How do I get vsftpd login to work with an existing ticket?
>>> I've added ftp as an identity service (ftp/ipaserver.my.lan at MY.LAN)
>>> Is there anything else I need to do to allow ftp login to vsftpd?
>> What ftp client and server are you using?
>> Do you know whether they are actually supporting Kerberos?
>> May be consider other tools like scp instead?
> I'm using vsftpd with default settings in Fedora 20 + ftp client from
> krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more.
> /etc/pam.d/vsftpd looks like this:
>
> #%PAM-1.0
> session optional pam_keyinit.so force revoke
> auth required pam_listfile.so item=user sense=deny
> file=/etc/vsftpd/ftpusers onerr=succeed
> auth required pam_shells.so
> auth include password-auth
> account include password-auth
> session required pam_loginuid.so
> session include password-auth
>
> Perhaps I need to change something in the pam file in order to allow sso?
>
> -- john
If you want SSO the ftp server should be configured to use GSSAPI and
not use PAM (or fail over to PAM if client does not have a ticket). A
search of the man pages for vsftpd did not render such option. I suspect
it is either undocumented or some other Kerberos enables ftp server
needs to be used.
Does krb-appl package provide one?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list