FYI: Kerberos on RHEL5
Edgecombe, Jason
jwedgeco at uncc.edu
Fri Apr 6 15:18:37 EDT 2007
Thanks.
I might try that.
Are there any rpms for your pam_krb5?
Thanks,
Jason
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
-----Original Message-----
From: Russ Allbery [mailto:rra at stanford.edu]
Sent: Friday, April 06, 2007 2:47 PM
To: Edgecombe, Jason
Cc: kerberos at mit.edu
Subject: Re: FYI: Kerberos on RHEL5
Edgecombe, Jason <jwedgeco at uncc.edu> writes:
> This is a heads-up for anyone using kerberos on RedHat Enterprise
Linux
> 5.
> I just solved a problem that's been a royal pain for me.
> I had console and gdm logins working fine for RHEL5 and I got kerberos
> single-signon working for ssh, but I had trouble getting password
> authenticaio working. It would accept my kerberos password, but I
would
> have any tickets or tokens.
> To solve my problem, I had to enable the use_shmem option in
> /etc/krb5.conf. for use with sshd.
This is because the Red Hat PAM module tries to use PAM data to pass
information between the auth module and the session module, which
OpenSSH
breaks due to its weird PAM handling.
If you use:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
you shouldn't have this problem and you shouldn't have to use shared
memory hacks to work around it. (I personally would rather use a
temporary file cache than a shared memory cache because it's a hell of a
lot easier to debug when something goes wrong. But mileage may vary.)
I'm always interested in any shortcomings of my module that has people
still using other PAM modules for reasons other than "I want to use the
one that comes with the OS" and will try to fix them as I have time.
--
Russ Allbery (rra at stanford.edu)
<http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list