[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Integrated Login



The most optimized configuration I have reached is as follows.
Thank you for the help !!

sshd

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny > auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

auth        required      pam_env.so
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


Ido Levy

On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <tmraz redhat com> wrote:
On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> Hello,
>
> Following your advice I have successfully setup integrated login for
> ssh.
> I got both AFS token and Kerberos 5 ticket.
>
> Following are the PAM files of sshd and system-auth:
> I have a few questions regarding the setup of sshd PAM file that looks
> a little strange for me although it's working and satisfy my needs.
>
> sshd

Here is my recommendation - try if that works:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny >
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        required      pam_krb5.so
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]