I may be wrong on this but I don't remember an option in vsftps.conf to specify a keytab file which is a good indication that its not supported there is a kerberized ftp server in the krb5 applications rpm however its not widely used and is more likely than not lacking features and may have bugs.

-- Sent from my HP Pre3

On Mar 27, 2014 22:13, Dmitri Pal <d...@redhat.com> wrote:

On 03/27/2014 04:47 PM, John Obaterspok wrote:
> 2014-03-23 19:45 GMT-04:00 Dmitri Pal<d...@redhat.com>
>> 2014-03-23 9:01 GMT+01:00 John Obaterspok<john.obaters...@gmail.com>:
>>> Hello,
>>> How do I get vsftpd login to work with an existing ticket?
>>> I've added ftp as an identity service (ftp/ipaserver.my....@my.lan)
>>> Is there anything else I need to do to allow ftp login to vsftpd?
>> What ftp client and server are you using?
>> Do you know whether they are actually supporting Kerberos?
>> May be consider other tools like scp instead?
> I'm using vsftpd with default settings in Fedora 20 + ftp client from
> krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more.
> /etc/pam.d/vsftpd looks like this:
> #%PAM-1.0
> session optional pam_keyinit.so force revoke
> auth required pam_listfile.so item=user sense=deny
> file=/etc/vsftpd/ftpusers _onerr_=succeed
> auth required pam_shells.so
> auth include password-auth
> account include password-auth
> session required pam_loginuid.so
> session include password-auth
> Perhaps I need to change something in the pam file in order to allow sso?
> -- john

If you want SSO the ftp server should be configured to use GSSAPI and
not use PAM (or fail over to PAM if client does not have a ticket). A
search of the man pages for vsftpd did not render such option. I suspect
it is either undocumented or some other Kerberos enables ftp server
needs to be used.
Does krb-appl package provide one?

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list
Freeipa-users mailing list

Reply via email to