Integrated Login
Ido Levy
idol.levy at gmail.com
Tue Mar 25 14:27:11 UTC 2008
The most optimized configuration I have reached is as follows.
Thank you for the help !!
*sshd*
auth required pam_listfile.so item=user sense=deny
file=/etc/ssh/ssh_host_deny onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
*system-auth
*auth required pam_env.so
auth optional pam_krb5.so try_first_pass
auth sufficient pam_afs.so try_first_pass ignore_root set_token
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_krb5.so
account sufficient pam_ldap.so
password requisite pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0
enforce=users
password sufficient pam_krb5.so use_authtok*
*password required pam_deny.so
session required pam_limits.so
session optional pam_krb5.so
session optional pam_ldap.so
session required pam_unix.so*
*
Ido Levy
On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <tmraz at redhat.com> wrote:
> On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> > Hello,
> >
> > Following your advice I have successfully setup integrated login for
> > ssh.
> > I got both AFS token and Kerberos 5 ticket.
> >
> > Following are the PAM files of sshd and system-auth:
> > I have a few questions regarding the setup of sshd PAM file that looks
> > a little strange for me although it's working and satisfy my needs.
> >
> > sshd
>
> Here is my recommendation - try if that works:
>
> #%PAM-1.0
> auth required pam_listfile.so item=user sense=deny
> file=/etc/ssh/ssh_host_deny onerr=succeed
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
>
> account required pam_stack.so service=system-auth
>
> password required pam_stack.so service=system-auth
>
> session required pam_stack.so service=system-auth
> session required pam_limits.so
>
> system-auth
>
> #%PAM-1.0
> auth required pam_env.so
> auth required pam_krb5.so
> auth sufficient pam_afs.so try_first_pass ignore_root set_token
> auth required pam_deny.so
>
> account sufficient pam_unix.so
> account sufficient pam_krb5.so
> account sufficient pam_ldap.so
>
> password requisite pam_passwdqc.so min=disabled,8,8,8,8
> passphrase=0 enforce=users
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session required pam_limits.so
> session optional pam_krb5.so
> session optional pam_ldap.so
> session required pam_unix.so
>
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080325/c201a30a/attachment.htm>
More information about the Pam-list
mailing list