Re: heimdal kerberos & ssh

From: Stijn Hoop (stijn_at_win.tue.nl)
Date: 08/31/05

Next message: Norberto Meijome: "Re: GbE NICs besides em (recommendation wanted)"

Previous message: Norberto Meijome: "Re: entropy"
In reply to: Stijn Hoop: "heimdal kerberos & ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 31 Aug 2005 15:18:56 +0200
To: questions@freebsd.org

OK, I think I figured this out, at least partially:

On Wed, Aug 31, 2005 at 01:23:00PM +0200, Stijn Hoop wrote:
> So it seems that the authentication is working, however the TGT is not
> being saved.

It turns out that you really need to specify the 'ccache' parameter to pam_krb5
but in the correct format:

auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u

Furthermore, do not test logging in with a user that has both a local account
and a kerberos principal -- it may confuse you :-/

For the record here is the /etc/pam.d/sshd that I think works:

%%%
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_krb5.so no_warn try_first_pass ccache=FILE:/tmp/krb5_%u

# account
account required pam_krb5.so
account required pam_login_access.so

# session
session required pam_permit.so

# password
password required pam_krb5.so no_warn try_first_pass
%%%

However:

- I still don't get a valid cache file with a user that also has a local
password (manually doing kinit works just fine). This is really strange..
- there's a strange 2-3 second delay when logging in, that I can't explain.
It feels like some sort of timeout but I can't figure out what...

Anyone recognize this? And again, if there's someone out there with a working
setup, I'd love to see the config files.

--Stijn

-- 
This sentence contradicts itself -- no actually it doesn't.
		-- Hofstadter
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

Next message: Norberto Meijome: "Re: GbE NICs besides em (recommendation wanted)"

Previous message: Norberto Meijome: "Re: entropy"
In reply to: Stijn Hoop: "heimdal kerberos & ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]