Integrated Login

Ido Levy idol.levy at gmail.com
Tue Mar 25 14:27:11 UTC 2008 

The most optimized configuration I have reached is as follows.
Thank you for the help !!

*sshd*

auth       required     pam_listfile.so item=user sense=deny
file=/etc/ssh/ssh_host_deny onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

*system-auth

*auth        required      pam_env.so
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0
enforce=users
password    sufficient    pam_krb5.so use_authtok*
*password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so*

*
Ido Levy

On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <tmraz at redhat.com> wrote:

> On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> > Hello,
> >
> > Following your advice I have successfully setup integrated login for
> > ssh.
> > I got both AFS token and Kerberos 5 ticket.
> >
> > Following are the PAM files of sshd and system-auth:
> > I have a few questions regarding the setup of sshd PAM file that looks
> > a little strange for me although it's working and satisfy my needs.
> >
> > sshd
>
> Here is my recommendation - try if that works:
>
> #%PAM-1.0
> auth       required     pam_listfile.so item=user sense=deny
> file=/etc/ssh/ssh_host_deny onerr=succeed
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
>
> account    required     pam_stack.so service=system-auth
>
> password   required     pam_stack.so service=system-auth
>
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
>
> system-auth
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        required      pam_krb5.so
> auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
> auth        required      pam_deny.so
>
> account     sufficient    pam_unix.so
> account     sufficient    pam_krb5.so
> account     sufficient    pam_ldap.so
>
> password    requisite     pam_passwdqc.so min=disabled,8,8,8,8
> passphrase=0 enforce=users
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     required      pam_limits.so
> session     optional      pam_krb5.so
> session     optional      pam_ldap.so
> session     required      pam_unix.so
>
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
>                                              Turkish proverb
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080325/c201a30a/attachment.htm>

More information about the Pam-list mailing list