Kerberos auth based on ticket

Mathew Rowley mathew_rowley at cable.comcast.com
Mon Dec 15 18:36:13 EST 2008


I am having a really hard time finding any documentation about PAM
configurations.  I want to be able to authenticate an SSH login with a valid
Kerberos ticket.  What configurations do I need within the
/etc/pam.d/system-auth file to allow an authentication to succeed with a
valid ticket.  Here is what I currently have:

Valid ticket:
[root at ipa01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mrowley at IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 18:11:50  12/16/08 18:11:50  krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

System-auth will use Œpam_krb5¹ as sufficient
[root at ipa01 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Yet, when I attempt to log in, it still asks me for a password ­ even though
I have a valid ticket...
[root at ipa01 ~]# ssh mrowley at localhost
mrowley at localhost's password:
  

Any help would be appreciated.  Thanks.

-- 
MAT



More information about the Kerberos mailing list