kerberos pam_krb5.so module skiped in stack

Rick Blair rickblairmail at gmail.com
Fri Jun 17 17:38:20 UTC 2005 

On past versions of redhat and Fedora Core I was able to set up kerberos

authentication with pam without any problem.

On Fedora Core 3 and now 4 I can not get it to work.  I set everything 
up as before and run kinit <user> and that works.  If I do a tcp dump I 
can see the port 88 communication occuring.
If I use pam and a service like sshd, I get the error: "sshd[23379]: 
Failed password for <user>".  A tcpdump reveals no port 88 traffic.  It 
looks like the pam_krb5.so module is being skipped in the pam stack.

Here are my pam configs:
/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth debug
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth debug
password   required     pam_stack.so service=system-auth degug
#session    required     pam_stack.so service=system-auth
#session    required     pam_limits.so
#session    optional     pam_console.so
session    required     pam_permit.so


cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

-- 
		-Rick

More information about the Pam-list mailing list