On 03/27/2014 04:47 PM, John Obaterspok wrote:
2014-03-23 19:45 GMT-04:00  Dmitri Pal<d...@redhat.com>
2014-03-23 9:01 GMT+01:00 John Obaterspok<john.obaters...@gmail.com>:

How do I get vsftpd login to work with an existing ticket?
I've added ftp as an identity service (ftp/ipaserver.my....@my.lan)
Is there anything else I need to do to allow ftp login to vsftpd?
What ftp client and server are you using?
Do you know whether they are actually supporting Kerberos?
May be consider other tools like scp instead?
I'm using vsftpd with default settings in Fedora 20 + ftp client from
krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more.
/etc/pam.d/vsftpd looks like this:

session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

  Perhaps I need to change something in the pam file in order to allow sso?

-- john

If you want SSO the ftp server should be configured to use GSSAPI and not use PAM (or fail over to PAM if client does not have a ticket). A search of the man pages for vsftpd did not render such option. I suspect it is either undocumented or some other Kerberos enables ftp server needs to be used.
Does krb-appl package provide one?

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to