pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?

Stephen Bosch Wed, 21 Jan 2004 09:54:41 -0800

Hendrik Hoeth wrote:

Hi,

The good news is, it is running.

congratulations!

Hi, Henrik.

Thanks.

Though it's running, but not being used yet :\

I spent hours trying to understand uss.

:-)

The bad news is that, in spite of using the pam modules, tokens are
not being issued at login time. I have created a user with the same
UID, password and login name, configured pam.d/login and pam.d/sshd to
use the afs pam module, and yet, no tokens.

Can you post your pam.d/login ? What messages do you get in your
/var/log/... files? (auth.log on my system, may be different on yours)

Here is an example of an ssh login, a check for tokens, and a view of the relevant pam.d files:

[EMAIL PROTECTED]:~$ ssh 192.168.1.50
[EMAIL PROTECTED]'s password:
Last login: Wed Jan 21 00:14:40 2004 from 192.168.1.10
Could not chdir to home directory /home/sfbosch: No such file or directory
[EMAIL PROTECTED] / $ ls
afs  boot  etc   install.html  lost+found  opt   root  tmp  var     vicepb
bin  dev   home  lib           mnt         proc  sbin  usr  vicepa
[EMAIL PROTECTED] / $ /usr/afs/bin/tokens

Tokens held by the Cache Manager:

--End of list--


[EMAIL PROTECTED] / $ cat /etc/pam.d/sshd
#%PAM-1.0

auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       sufficient   pam_afs.so try_first_pass ignore_root
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth


[EMAIL PROTECTED] / $ cat /etc/pam.d/login
#%PAM-1.0

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_afs.so try_first_pass ignore_root
account    required     /lib/security/pam_stack.so service=system-auth

password required /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


[EMAIL PROTECTED] / $ cat /etc/pam.d/su
#%PAM-1.0

auth sufficient /lib/security/pam_rootok.so

# If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. #auth required /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth       sufficient   /lib/security/pam_wheel.so use_uid trust

# Alternatively to above, you can implement a list of users that do # not need to supply a passwd with a list. #auth sufficient /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass

# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth       required     /lib/security/pam_wheel.so use_uid

auth required /lib/security/pam_stack.so service=system-auth

auth       sufficient   pam_afs.so try_first_pass ignore_root
account    required     /lib/security/pam_stack.so service=system-auth

password required /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_xauth.so

[EMAIL PROTECTED] / $

Question: How do I list the users?

-Stephen-

_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info

pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?

Reply via email to