Using pam_krb5 multiple times
Matt Clausen
mclausen at csit.fsu.edu
Wed Jun 30 04:37:23 UTC 2004
I have a rather unique need in which I need a machine to check multiple
realms for a principal that's logging in. I've downloaded the latest (I
think... pam_krb5 doesnt seem to be maintained anymore) version and
installed it but what happens is that the first realm can authenticate
fine, but not the second realm.
Here's an exerpt from the pam.d/system-auth file:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so forwardable
use_first_pass realm=<realm1>
auth sufficient /lib/security/pam_krb5.so forwardable
use_first_pass realm=<realm2>
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
account sufficient /lib/security/pam_krb5.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
This will work for the first realm only, but someone trying to log in
from the second realm will not succeed... however if I flip the
placement, the user from the 2nd realm can log in but not the first.
I found a thread on this very issue on the web, but unfortunately there
was/is nothing being done with this. Anyone have any tips on how I can
go about doing this?
More information about the Pam-list
mailing list