I recently did a freebsd-update to a machine running 6.3 to 7.1. I am now
having difficulty getting pam_krb5 to work as it used to for sshd

After upgrading to 7.1 I noticed the openpam_dispatch() and
pam_sm_authenticate() errors on my console when trying to login via ssh.  I
fixed these by removing the pam_nologin module from the auth list in my sshd
pam config file.
My current pam sshd configuation file is as follows:
# auth
auth            required        pam_krb5.so             no_warn
#auth            required        pam_unix.so             no_warn
try_first_pass nullok

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn
password        required        pam_unix.so             no_warn

If I attempt to login with the correct kerberos credentials I get the
following error:
pam_setcred() failed to retreive user credentials

If I reenable the "auth required pam_unix.so" line and change the line
before it to "auth sufficient pam_krb5.so" I can logon with either my
kerberos or the local system password, but no other password as expected.
Unfortunately, I cannot allow local user passwords to logon to the system.
What am I doing wrong a similar setup worked with FreeBSD 6.3, but the last
authenticaion module was pam_nologin.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to