Integrated Login
Ido Levy
idol.levy at gmail.com
Tue Mar 25 10:49:48 UTC 2008
Hello,
Following your advice I have successfully setup integrated login for ssh.
I got both AFS token and Kerberos 5 ticket.
Following are the PAM files of sshd and system-auth:
I have a few questions regarding the setup of sshd PAM file that looks a
little strange for me although it's working and satisfy my needs.
*sshd*
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/ssh/ssh_host_deny onerr=succeed
# Without the following line it's not working properly ( I wonder why, it
has the same line in system-auth file )
auth required pam_afs.so try_first_pass ignore_root set_token
# Note that the following line is marked as optional, any change will harm
the login process - I think it should be required
auth optional pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
*system-auth*
#%PAM-1.0
auth required pam_env.so
auth optional pam_krb5.so use_first_pass
auth required pam_afs.so try_first_pass ignore_root set_token
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_krb5.so
account sufficient pam_ldap.so
password requisite pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0
enforce=users
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session required pam_limits.so
session optional pam_krb5.so
session optional pam_ldap.so
session required pam_unix.so
On Tue, Mar 25, 2008 at 11:28 AM, Ido Levy <idol.levy at gmail.com> wrote:
> Tomas,
>
> Thanks for the advice !!
> I will check it out and will update the list for my results.
>
> Ido
>
>
> On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <tmraz at redhat.com> wrote:
>
> > On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> > > Hello,
> > >
> > > I am trying to configure PAM to provide both AFS token and Kerberos 5
> > > ticket in the login process but unfortunately with no luck.
> > > I am able to get AFS token or Kerberos 5 ticket but not both of them.
> > >
> > > Following is the system-auth file.
> > >
> > > #%PAM-1.0
> > > auth required pam_env.so
> > > auth sufficient /lib64/security/pam_krb5.so use_first_pass
> > This module must be "required" and not "sufficient".
> > > auth sufficient /lib64/security/pam_afs.so try_first_pass
> > > ignore_root set_token
> > Also you shouldn't use full paths to the modules, the pam library will
> > search /lib(64)/security automatically.
> >
> > --
> > Tomas Mraz
> > No matter how far down the wrong road you've gone, turn back.
> > Turkish proverb
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080325/15865ee6/attachment.htm>
More information about the Pam-list
mailing list