Darren J Moffat wrote: > Shawn M Emery wrote: >> The stack configuration is for authentication and attempts to add a >> pam_krb5 entry with a sufficient control flag after pam_unix_cred. >> For example, sshd-kbdint would look like: >> >> sshd-kbdint auth requisite pam_authtok_get.so.1 >> sshd-kbdint auth required pam_dhkeys.so.1 >> sshd-kbdint auth required pam_unix_cred.so.1 >> sshd-kbdint auth sufficient pam_krb5.so.1 >> sshd-kbdint auth required pam_unix_auth.so.1 >> > > Why sufficient rather than binding ?
I didn't want to lock-out non-Kerberos related users. I believe that there would too much impact if local users could not login to some of these services that could be specified. Shawn. --
