[30532] in Kerberos

home help back first fref pref prev next nref lref last post

Kerberos auth based on ticket

daemon@ATHENA.MIT.EDU (Mathew Rowley)
Mon Dec 15 18:37:16 2008

Date: Mon, 15 Dec 2008 16:36:13 -0700
From: Mathew Rowley <mathew_rowley@cable.comcast.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Message-ID: <C56C37FD.4F6E%mathew_rowley@cable.comcast.com>
Mime-version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

I am having a really hard time finding any documentation about PAM
configurations.  I want to be able to authenticate an SSH login with a valid
Kerberos ticket.  What configurations do I need within the
/etc/pam.d/system-auth file to allow an authentication to succeed with a
valid ticket.  Here is what I currently have:

Valid ticket:
[root@ipa01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mrowley@IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 18:11:50  12/16/08 18:11:50  krbtgt/IPA.COMCAST.COM@IPA.COMCAST.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

System-auth will use Œpam_krb5¹ as sufficient
[root@ipa01 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Yet, when I attempt to log in, it still asks me for a password ­ even though
I have a valid ticket...
[root@ipa01 ~]# ssh mrowley@localhost
mrowley@localhost's password:
  

Any help would be appreciated.  Thanks.

-- 
MAT
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post