PAM Krb5
Darren Tucker
dtucker at zip.com.au
Wed Jun 2 00:17:36 UTC 2004
Anthony Ramm wrote:
> I have been trying to get the PAM Krb5 module to work for the past few
> days and was wondering if it would be possible for someone to point me
> in the right direction regarding some problems I am having. I'm using a
> gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version
> 2.1.0. When I ssh into the box I can login, but whilst I get a TGT
> allocated (I can see it being allocated on the KDC)
Assuming you're using OpenSSH:
http://bugzilla.mindrot.org/show_bug.cgi?id=688
Possible solutions:
* Compile sshd to use threads. This is the best known solution right
now, but opens a whole can of thread-safety worms.
* There's a patch attached to the bug that creates the credential cache
before sshd's authentication "thread" (a process, actually) exits.
* Current development versions can also do Password authentication via
PAM (via a "blind" conversation function) in addition to
ChallengeResponse. This happens in the immediate ancestor of the shell,
so the info stashed by the module (presumably with pam_set_data()?)
during authentication doesn't get lost.
> Also, I'm asked for the password three times, where I
> can enter nonsense, before it prompts me for root at host password.
This is described (briefly) in the sshd_config man page description of
UsePAM and the comments in sshd_config. Basically, if you want to
authenticate via PAM, set "PasswordAuthentication no" in sshd_config
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Pam-list
mailing list