Integrated Login

Ido Levy idol.levy at gmail.com
Tue Mar 25 10:49:48 UTC 2008 

Hello,

Following your advice I have successfully setup integrated login for ssh.
I got both AFS token and Kerberos 5 ticket.

Following are the PAM files of sshd and system-auth:
I have a few questions regarding the setup of sshd PAM file that looks a
little strange for me although it's working and satisfy my needs.

*sshd*

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/ssh/ssh_host_deny onerr=succeed
# Without the following line it's not working properly ( I wonder why, it
has the same line in system-auth file )
auth       required     pam_afs.so try_first_pass ignore_root set_token
# Note that the following line is marked as optional, any change will harm
the login process - I think it should be required
auth       optional     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

*system-auth*

#%PAM-1.0
auth        required      pam_env.so
auth        optional      pam_krb5.so use_first_pass
auth        required      pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0
enforce=users
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required     pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


On Tue, Mar 25, 2008 at 11:28 AM, Ido Levy <idol.levy at gmail.com> wrote:

> Tomas,
>
> Thanks for the advice !!
> I will check it out and will update the list for my results.
>
> Ido
>
>
> On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <tmraz at redhat.com> wrote:
>
> > On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> > > Hello,
> > >
> > > I am trying to configure PAM to provide both AFS token and Kerberos 5
> > > ticket in the login process but unfortunately with no luck.
> > > I am able to get AFS token or Kerberos 5 ticket but not both of them.
> > >
> > > Following is the system-auth file.
> > >
> > > #%PAM-1.0
> > > auth        required      pam_env.so
> > > auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
> > This module must be "required" and not "sufficient".
> > > auth        sufficient      /lib64/security/pam_afs.so try_first_pass
> > > ignore_root set_token
> > Also you shouldn't use full paths to the modules, the pam library will
> > search /lib(64)/security automatically.
> >
> > --
> > Tomas Mraz
> > No matter how far down the wrong road you've gone, turn back.
> >                                              Turkish proverb
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080325/15865ee6/attachment.htm>

More information about the Pam-list mailing list