[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM Krb5

Anthony Ramm wrote:
I have been trying to get the PAM Krb5 module to work for the past few days and was wondering if it would be possible for someone to point me in the right direction regarding some problems I am having. I'm using a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and PAM_krb5 version 2.1.0. When I ssh into the box I can login, but whilst I get a TGT allocated (I can see it being allocated on the KDC)

Assuming you're using OpenSSH: http://bugzilla.mindrot.org/show_bug.cgi?id=688

Possible solutions:
* Compile sshd to use threads. This is the best known solution right now, but opens a whole can of thread-safety worms.

* There's a patch attached to the bug that creates the credential cache before sshd's authentication "thread" (a process, actually) exits.

* Current development versions can also do Password authentication via PAM (via a "blind" conversation function) in addition to ChallengeResponse. This happens in the immediate ancestor of the shell, so the info stashed by the module (presumably with pam_set_data()?) during authentication doesn't get lost.

> Also, I'm asked for the password three times, where I > can enter nonsense, before it prompts me for root host password.

This is described (briefly) in the sshd_config man page description of UsePAM and the comments in sshd_config. Basically, if you want to authenticate via PAM, set "PasswordAuthentication no" in sshd_config

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]