Help with Kerberos5 "rlogin -x -f" command on Solaris 8/9 and PAM.

Mukarram Syed muksyed at stanford.edu
Thu Apr 10 21:59:22 EDT 2008 

 

Hi,

I have been trying to configure the /etc/pam.conf file to get rlogin -x -f
to work on our Stanford Solaris servers.

rlogin -x -f <servername> works, but the problem is that it does not get the
AFS tokens.

I am using pam_krb5 and pam_afs_session modules.

SSH works however and I could get the AFS tokens.  But some of our servers
don't run sshd and depend on rlogin (k5).

When I rlogin -x -f <servername>, the rlogin command does not even read the
/etc/pam.conf file.  If I move the /etc/pam.conf file to another name, the
rlogin -x -f <servername> command still works (without afs tokens), but SSH
depends on the /etc/pam.conf file since the UsePAM is set to yes in the
/etc/ssh/sshd_config file.

I am certainly not a PAM/Kerberos5 guru and hence I am posting this for some
help.

I am not sure what's missing here in the /etc/pam.conf file.

 

Thanks much.

 

# mukarram syed.

 

Here is my /etc/pam.conf file:

 

sshd    auth requisite          pam_authtok_get.so.1

sshd    auth required           pam_dhkeys.so.1

sshd    auth required           pam_unix_auth.so.1

sshd    account required                pam_unix_account.so.1

rsh     auth sufficient         pam_rhosts_auth.so.1

rsh     auth required           pam_unix_auth.so.1

ppp     auth requisite          pam_authtok_get.so.1

ppp     auth required           pam_dhkeys.so.1

ppp     auth required           pam_unix_auth.so.1

ppp     auth required           pam_dial_auth.so.1

other   auth requisite          pam_authtok_get.so.1

other   auth required           pam_dhkeys.so.1

other   auth required           pam_unix_auth.so.1

passwd  auth required           pam_passwd_auth.so.1

cron    account required        pam_projects.so.1

cron    account required        pam_unix_account.so.1

other   account requisite       pam_roles.so.1

other   account required        pam_projects.so.1

other   account required        pam_unix_account.so.1

other   session required        pam_unix_session.so.1

rlogin session required /usr/local/lib/security/pam_krb5.so use_first_pass
forwardable retain_after_close minimum_uid=100 search_k5login

sshd session required /usr/local/lib/security/pam_krb5.so use_first_pass
forwardable retain_after_close minimum_uid=100 search_k5login

rlogin session required /usr/local/lib/security/pam_afs_session.so
minimum_uid=100 retain_after_close program=/usr/local/bin/aklog 

sshd session required /usr/local/lib/security/pam_afs_session.so
minimum_uid=100 retain_after_close program=/usr/local/bin/aklog 

other   password required       pam_dhkeys.so.1

other   password requisite      pam_authtok_get.so.1

other   password requisite      pam_authtok_check.so.1

other   password required       pam_authtok_store.so.1

su      auth requisite          /usr/local/lib/security/su_group0.so.1

su      auth requisite          pam_authtok_get.so.1

su      auth required           pam_dhkeys.so.1

su      auth required           pam_unix_auth.so.1

More information about the Kerberos mailing list