kerberos pam_krb5.so module skiped in stack

Rick Blair rickblairmail at gmail.com
Mon Jun 20 16:32:21 UTC 2005


Ok,

I got it.

I had to add 'UsePAM yes' to sshd_config.

Thanks for your help.

Rick

On 6/17/05, Wang, Yu <ywang at unf.edu> wrote:
> I would first check to make sure the SSH IS using pam not its own auth. You may want to turn on debug mode on ssh and on krb5. kinit means your krb client set up is correct. You can use telnet and a kerberos principle to test your pam stack. If it works for telnet, then it's your ssh configuration. I don't use RH so cannot test your pam stack. Mine doesn't have those 'default=bad' thing since my users are in AD.
> 
> Yu
> 
> 
> > -----Original Message-----
> > From: pam-list-bounces at redhat.com
> > [mailto:pam-list-bounces at redhat.com]On
> > Behalf Of Rick Blair
> > Sent: Friday, June 17, 2005 1:38 PM
> > To: pam-list at redhat.com
> > Subject: kerberos pam_krb5.so module skiped in stack
> >
> >
> > On past versions of redhat and Fedora Core I was able to set
> > up kerberos
> >
> > authentication with pam without any problem.
> >
> > On Fedora Core 3 and now 4 I can not get it to work.  I set
> > everything
> > up as before and run kinit <user> and that works.  If I do a
> > tcp dump I
> > can see the port 88 communication occuring.
> > If I use pam and a service like sshd, I get the error: "sshd[23379]:
> > Failed password for <user>".  A tcpdump reveals no port 88
> > traffic.  It
> > looks like the pam_krb5.so module is being skipped in the pam stack.
> >
> > Here are my pam configs:
> > /etc/pam.d/sshd
> > #%PAM-1.0
> > auth       required     pam_stack.so service=system-auth debug
> > auth       required     pam_nologin.so
> > account    required     pam_stack.so service=system-auth debug
> > password   required     pam_stack.so service=system-auth degug
> > #session    required     pam_stack.so service=system-auth
> > #session    required     pam_limits.so
> > #session    optional     pam_console.so
> > session    required     pam_permit.so
> >
> >
> > cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      /lib/security/$ISA/pam_env.so
> > auth        sufficient    /lib/security/$ISA/pam_unix.so
> > likeauth nullok
> > auth        sufficient    /lib/security/$ISA/pam_krb5.so
> > use_first_pass
> > auth        required      /lib/security/$ISA/pam_deny.so
> >
> > account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> > account     sufficient
> > /lib/security/$ISA/pam_succeed_if.so uid < 100
> > quiet
> > account     [default=bad success=ok user_unknown=ignore]
> > /lib/security/$ISA/pam_krb5.so
> > account     required      /lib/security/$ISA/pam_permit.so
> >
> > password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> > use_authtok md5 shadow
> > password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
> > password    required      /lib/security/$ISA/pam_deny.so
> >
> > session     required      /lib/security/$ISA/pam_limits.so
> > session     required      /lib/security/$ISA/pam_unix.so
> > session     optional      /lib/security/$ISA/pam_krb5.so
> >
> > --
> >               -Rick
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
> >
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>




More information about the Pam-list mailing list