On Thu, Feb 13, 2003 at 09:54:33PM -0800, La Temperanza wrote: > Thanks, your PDF helped me get k5su up and running. Now can you help me switch > my console login service to Kerberos? :) I don't quite get the man pages for PAM > and am worried about locking myself out of my system if I do something wrong.
Step number 1: log in a different virtual console and leave it logged in. This console is known as "insurance" ;-) It's really not that hard with a fairly recent FreeBSD ... there should be a pam_krb5 already in there (but commented out). pam.conf is broken into sections, corresponding to the different services that might require authentication. The first "block" in the pam.conf is for the console login service. Try uncommenting the pam_krb5 line and logging in on a third virtual service. I'm not actually using pam for services other than console login - while pam is great for centralizing authentication, it doesn't magically add encryption of the data stream to the various service daemons (the MIT kerberoos -x switch for most app's). You'll needs service daemons that specifically support that. Hmmm. Now that I think about it, with Heimdal in the base install, the normal daemons /might/ actually do that. It doesn't apply to me as I'm use MIT krb5, but it'd be worth investigating if you're using the heimdal in the base install. - Tillman -- Simplicity is the most difficult thing to secure in this world; it is the last limit of experience and the last effort of genius. George Sand To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message