pam_krb5 gives credentials (using a 'random' cache) just fine when loging in on the local machine. However, if I log in over ssh, it does not get the krb5 tickets, though it authenticates off kerberos just fine. I am appending my pam config for system authentication:
#%PAM-1.0 auth required pam_env.so #auth sufficient pam_krb5.so forwardable debug auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so try_first_pass forwardable debug auth required pam_deny.so account sufficient pam_krb5.so debug account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_krb5.so use_authtok debug password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session optional pam_krb5.so debug session required pam_unix.so when I connect over ssh, this is what get's spit out over /var/log/auth.log Nov 8 01:02:14 bloo sshd(pam_unix)[22884]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mason.gmu.edu user=andy Nov 8 01:02:14 bloo sshd[22884]: pam_krb5: authentication succeeds for `andy' Nov 8 01:02:14 bloo sshd[22884]: pam_krb5: pam_sm_authenticate returning 0 (Success) Nov 8 01:02:14 bloo sshd[22880]: Accepted keyboard-interactive/pam for andy from 129.174.1.13 port 44164 ssh2 Nov 8 01:02:14 bloo sshd(pam_unix)[22885]: session opened for user andy by andy(uid=0) it says nothing from session pam_krb5. if I change pam_krb5 (in session) from optional to required, the login fails alltogether over ssh. Thanks for the help! --Andrew ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
