why doesn't this work?
Alexey Toptygin
alexeyt at freeshell.org
Tue Sep 21 01:00:12 UTC 2004
I want root to be authenticated via pam_unix and everybody else to be
authenticated via pam_krb5. This works:
auth sufficient pam_unix.so
auth required pam_krb5.so use_first_pass
But that tries pam_unix first for all the kerberos-authenticated users.
So, in order to always do either one or the other but not both, I tried
this:
auth [success=2 default=ignore] pam_listfile.so \
onerr=fail item=user sense=deny file=/etc/security/auth.local
auth sufficient pam_unix.so
auth [default=1] pam_permit.so
auth sufficient pam_krb5.so
auth required pam_deny.so
along with putting root into /etc/security/auth.local
The pam_krb5 case works, but for some reason in the pam_unix case fails,
and this appears in syslog:
Sep 20 18:46:06 myhost sshd[16829]: Accepted keyboard-interactive/pam
for root from ::ffff:192.168.1.101 port 4024 ssh2
Sep 20 18:46:06 myhost sshd[16829]: fatal: PAM: pam_setcred():
Authentication service cannot retrieve user credentials
Can someone tell me what I'm doing wrong?
Alexey
More information about the Pam-list
mailing list