PAM Krb5
Anthony Ramm
anthony at openadvantage.org
Wed Jun 2 16:11:03 UTC 2004
Thanks for the advice, I think I've got it all working now. What I'm
ultimately trying to do is set up a single sign on situation where all
passwords etc. are stored with Kerberos and permissions etc are stored
in an OpenLDAP database. I've nearly done this using pam_krb5 for
authentication and I'm going to use pam_ldap for account information.
Is it possible that if a user already has a kerberos ticket and has
permission on the destination host that they can be logged on
automatically without having to enter a password? It seems as though
it should, but I can't quite figure out how.
Thanks in advance,
Anthony,
On 2 Jun 2004, at 01:17, Darren Tucker wrote:
> Anthony Ramm wrote:
>> I have been trying to get the PAM Krb5 module to work for the past
>> few days and was wondering if it would be possible for someone to
>> point me in the right direction regarding some problems I am having.
>> I'm using a gentoo system with MIT Kerberos5 v1.3.3, PAM v0.77 and
>> PAM_krb5 version 2.1.0. When I ssh into the box I can login, but
>> whilst I get a TGT allocated (I can see it being allocated on the
>> KDC)
>
> Assuming you're using OpenSSH:
> http://bugzilla.mindrot.org/show_bug.cgi?id=688
>
> Possible solutions:
> * Compile sshd to use threads. This is the best known solution right
> now, but opens a whole can of thread-safety worms.
>
> * There's a patch attached to the bug that creates the credential
> cache before sshd's authentication "thread" (a process, actually)
> exits.
>
> * Current development versions can also do Password authentication via
> PAM (via a "blind" conversation function) in addition to
> ChallengeResponse. This happens in the immediate ancestor of the
> shell, so the info stashed by the module (presumably with
> pam_set_data()?) during authentication doesn't get lost.
>
> > Also, I'm asked for the password three times, where I
> > can enter nonsense, before it prompts me for root at host password.
>
> This is described (briefly) in the sshd_config man page description of
> UsePAM and the comments in sshd_config. Basically, if you want to
> authenticate via PAM, set "PasswordAuthentication no" in sshd_config
More information about the Pam-list
mailing list