[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Integrated Login



Hello,

Following your advice I have successfully setup integrated login for ssh.
I got both AFS token and Kerberos 5 ticket.

Following are the PAM files of sshd and system-auth:
I have a few questions regarding the setup of sshd PAM file that looks a little strange for me although it's working and satisfy my needs.

sshd

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny ># Without the following line it's not working properly ( I wonder why, it has the same line in system-auth file )
auth       required     pam_afs.so try_first_pass ignore_root set_token
# Note that the following line is marked as optional, any change will harm the login process - I think it should be required
auth       optional     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        optional      pam_krb5.so use_first_pass
auth        required      pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required     pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


On Tue, Mar 25, 2008 at 11:28 AM, Ido Levy <idol levy gmail com> wrote:
Tomas,

Thanks for the advice !!
I will check it out and will update the list for my results.

Ido


On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <tmraz redhat com> wrote:
On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> Hello,
>
> I am trying to configure PAM to provide both AFS token and Kerberos 5
> ticket in the login process but unfortunately with no luck.
> I am able to get AFS token or Kerberos 5 ticket but not both of them.
>
> Following is the system-auth file.
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
This module must be "required" and not "sufficient".
> auth        sufficient      /lib64/security/pam_afs.so try_first_pass
> ignore_root set_token
Also you shouldn't use full paths to the modules, the pam library will
search /lib(64)/security automatically.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]