kerberos pam_krb5.so module skiped in stack
Wang, Yu
ywang at unf.edu
Fri Jun 17 18:28:45 UTC 2005
I would first check to make sure the SSH IS using pam not its own auth. You may want to turn on debug mode on ssh and on krb5. kinit means your krb client set up is correct. You can use telnet and a kerberos principle to test your pam stack. If it works for telnet, then it's your ssh configuration. I don't use RH so cannot test your pam stack. Mine doesn't have those 'default=bad' thing since my users are in AD.
Yu
> -----Original Message-----
> From: pam-list-bounces at redhat.com
> [mailto:pam-list-bounces at redhat.com]On
> Behalf Of Rick Blair
> Sent: Friday, June 17, 2005 1:38 PM
> To: pam-list at redhat.com
> Subject: kerberos pam_krb5.so module skiped in stack
>
>
> On past versions of redhat and Fedora Core I was able to set
> up kerberos
>
> authentication with pam without any problem.
>
> On Fedora Core 3 and now 4 I can not get it to work. I set
> everything
> up as before and run kinit <user> and that works. If I do a
> tcp dump I
> can see the port 88 communication occuring.
> If I use pam and a service like sshd, I get the error: "sshd[23379]:
> Failed password for <user>". A tcpdump reveals no port 88
> traffic. It
> looks like the pam_krb5.so module is being skipped in the pam stack.
>
> Here are my pam configs:
> /etc/pam.d/sshd
> #%PAM-1.0
> auth required pam_stack.so service=system-auth debug
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth debug
> password required pam_stack.so service=system-auth degug
> #session required pam_stack.so service=system-auth
> #session required pam_limits.so
> #session optional pam_console.so
> session required pam_permit.so
>
>
> cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so
> likeauth nullok
> auth sufficient /lib/security/$ISA/pam_krb5.so
> use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient
> /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_krb5.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_krb5.so
>
> --
> -Rick
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
More information about the Pam-list
mailing list