You need to set the following in your server's sshd_config file:
PasswordAuthentication no
PAMAuthenticationViaKbdInt yes
If you leave PasswordAuthentication at the default yes, then it will prompt
for a password BEFORE trying PAM. If you turn off password auth, then it will
try public key, then follow PAM. If you want password in addition, make sure it
is first in the pam.conf file. I'm assuming you did stack them and only showed
the changes below. If not, you have to add pam_unix first, like so:
sshd auth required /usr/lib/security/$ISA/pam_unix.so.1
sshd auth required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
...
The default (other) is only used if there is no match for the service/session
type combo. Thus, for password it would use other and pam_unix.so.1. It won't
add the pam_krb5.so.1 if you define anything for the combo, which is why the
pam_unix.so.1 is needed beforeit above.
Hope this helps.
--Dave
>Date: Wed, 13 Jun 2001 18:00:38 +0200
>From: Shaun McCullagh <[EMAIL PROTECTED]>
>X-Accept-Language: en
>MIME-Version: 1.0
>To: [EMAIL PROTECTED]
>Subject: Configuring OpenSSH 2.9p1 to use Kerberos 5 via PAM authentication on
Solaris 8i
>Content-Transfer-Encoding: 7bit
>
>Hi,
>
>I'm trying to get openssh to use PAM.
>
>I configured openssh with '--with-pam', compiled and installed
>successfully.
>
>I then added
>
> sshd auth required /usr/lib/security/$ISA/pam_krb5.so.1
>try_first_pass
> sshd account required /usr/lib/security/$ISA/pam_krb5.so.1
>try_first_pass
>
>to /etc/pam.conf
>
>Could somebody tell me if this is sufficient? Do I need to configure
>anything else?
>
>TIA
>
>
>--
>Shaun McCullagh mailto:[EMAIL PROTECTED]
>Senior Unix Administrator Office Phone +31 (0) 20 850 9342
>marviQ BV Mobile +31 (0) 615 09 23 25
>Ringwood Building
>Nachtwachtlaan 20
>1058 EA Amsterdam
>The Netherlands
--
David Knight French
Black Mountain Computer Consulting
Voice: (858)279-4862
Email: [EMAIL PROTECTED]
